Researchers from Palo Alto’s Unit 42 say a suspected group of Chinese actors infiltrated email servers used by foreign ministries. The attackers accessed Microsoft Exchange systems and combed through messages related to diplomatic activities.
The threat, dubbed “Phantom Taurus” targets governments and telecoms across Africa, the Middle East, and Asia. Its operations align closely with China’s strategic interests.
The group started as a faint pattern in telemetry, labeled CL-STA-0043. By 2024, it became a temporary group, TGR-STA-0043, or Operation Diplomatic Specter. After extended observation, Unit 42 concluded it is a distinct threat actor: Phantom Taurus.
Its focus is precise: embassies, ministries, defense operations, and communications networks. Timing often coincides with major geopolitical events, and the pattern is deliberate.
What sets Phantom Taurus apart isn’t just patience or stealth. It’s the tools. Unit 42’s research shows the group blends familiar malware with custom creations. NET-STAR is the newest. A .NET suite. In-memory. Hard to detect. Built for long-term access and control.
The methods evolve. Where it once targeted emails, it now reaches directly into databases. Scripts like mssq.bat allow it to extract specific intelligence quietly and efficiently.
Beyond Traditional Email Harvesting
Lauren Rucker, Senior Cyber Threat Intelligence Analyst at Deepwatch, says Phantom Taurus’ latest activity moves beyond traditional email harvesting to directly targeting and exfiltrating high-value data from corporate SQL databases.
“Their new methodology is exceptionally difficult to detect as it relies on a custom, fileless malware suite called NET-STAR, which operates entirely within the memory of IIS web servers. This malware leaves no footprint for traditional antivirus to find and was designed to actively blind modern security solutions like EDR by disabling critical Windows security monitoring features (AMSI and ETW).
By combining in-memory malware with “living-off-the-land” techniques (abusing legitimate tools like WMI for internal movement), Rucker says threat actors can conducting espionage operations with long range dwell times.
“A reactive, alert-based security posture is no longer sufficient against threat actors like these, with organizations needing to assume they are already compromised and shift toward proactive detection as well as rapid response to manage advanced threats.”
She advises organizations to adopt a multi-layered, proactive defense to counter this threat. By adopting zero trust policies and investing in proactive hunting with emphasis on visibility into system logs, organizations can harden their attack surface.
For this specific campaign, Rucker says the following steps can be taken:
- Minimize IIS server footprint by removing unused modules, run web applications with unique, low-privileged accounts, and maintain rigorous patch management.
- Prohibit the use of shared administrative accounts (e.g., sa) for applications. Restrict database access to only authorized application servers via strict firewall rules and monitor for unusual query volumes or data exports.
- Use host-based firewalls to block remote WMI and PowerShell access from web servers to internal systems where possible.
- Enable enhanced logging for PowerShell (Script Block Logging) and WMI activity, forwarding these logs to a SIEM for analysis.
- Actively search for anomalous process chains, such as cmd.exe being spawned by the WMI provider host (WmiPrvSE.exe), which is a key indicator of WMI-based lateral movement.
- Create behavior-based rules to alert on suspicious WMI usage and use YARA rules to find artifacts of fileless malware.
Identifying Adversary Tactics
Louis Eichenbaum, Federal CTO at ColorTokens, adds that cybersecurity organizations must leverage threat intelligence to rapidly identify adversary tactics and translate them into actionable indicators of compromise.
“This enables faster response times and more effective defense. At the same time, it underscores the importance of advanced threat hunting capabilities to proactively locate adversaries within networks before they can cause significant harm.”
Eichenbaum says given the speed and sophistication of modern attacks, automation and AI must play a central role. “Human analysts alone cannot process the volume and complexity of threats facing today’s enterprises. A common adversary tactic is to compromise an easy target, often an end user’s laptop, and then wait patiently for the right opportunity to move laterally and gain access to critical assets. This highlights the need for building resilience into networks from the ground up, starting with strong cyber hygiene practices.”
Implementing effective endpoint detection and response (EDR) solutions and closing unnecessary ports on endpoints is key, he explains. “While capturing and analyzing the right logging data will drive informed decisions. And most importantly, deploying a robust microsegmentation strategy where you are placing security controls as close as possible to critical assets will greatly reduce the risk of lateral movement.”
A Tradeoff in Taking Action
The abuse and intelligence apparatus operates with a slightly different set of operating priorities to that of the standard detection and response teams operating in the security operations center, says Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. “The default posture for defenders finding any miscreant activity is to immediately contain and eradicate, whereas the abuse and intelligence groups will make a trade-off in taking action – determining whether to, if, and when, to take actions the malicious actor can detect.”
Ford says observing and monitoring the malicious actors better informs what they’re after, the tools, techniques, and procedures being used by those actors, and to evaluate if there are upstream opportunities to disrupt these networks. “There are also additional outside parties, such as law enforcement and government intel groups, that may ask for partnership in monitoring those actors to continue for a period of time.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.