Group found targeting governments and telecoms across Asia, the Middle East, and Africa
Palo Alto Networks’ threat intelligence and incident response team, Unit 42, has uncovered a previously undocumented Chinese threat group, now touted as “Phantom Taurus.” Active for more than two years, the group has conducted targeted operations against ministries of foreign affairs, embassies, telecommunications providers, and other government-linked entities across Asia, the Middle East, and Africa.
Unit 42’s research indicates that Phantom Taurus is a China-nexus threat actor focused on long-term intelligence collection, rather than short-term disruption or financial gain. The group’s operations appear to align with broader geopolitical objectives, emphasizing data theft from high-value government systems and critical communications networks.
“Unit 42’s discovery of the Phantom Taurus threat group is a reminder of why ongoing investigation and open sharing of intelligence matter so much. When we understand how these actors operate, we can strengthen defenses before they strike; not scramble after the fact.”
– Swapna Bapat, Vice President & Managing Director, India and SAARC, Palo Alto Networks.
“Unit 42’s discovery of the Phantom Taurus threat group is a reminder of why ongoing investigation and open sharing of intelligence matter so much. When we understand how these actors operate, we can strengthen defenses before they strike; not scramble after the fact,” said Swapna Bapat, Vice President & Managing Director, India and SAARC, Palo Alto Networks. “Bringing threats like this into the open, takes away their greatest advantage — invisibility — helping us strengthen our collective defense in the process.”
A New Generation of Stealth and Precision
Unlike typical cyber-espionage groups that rely on widespread phishing or malware campaigns, Phantom Taurus operates with surgical precision. Recent activity shows a clear evolution: rather than broadly stealing email data, the group directly queries internal databases to extract only the most relevant intelligence — such as diplomatic communications or regional policy records.
To enable this, Phantom Taurus deploys a custom-built toolkit called NET-STAR, which targets Microsoft Internet Information Services (IIS) web servers — software commonly used by government portals and enterprise websites. The toolkit features fileless backdoors that live entirely in system memory, allowing attackers to blend in with legitimate network traffic and evade most detection tools.
In some cases, the attackers went a step further — remotely running a custom script on government database servers to search for documents and records referencing countries such as Afghanistan and Pakistan. Using a legitimate Windows administration tool to execute these searches, they demonstrated both technical sophistication and a clear intelligence focus on regional affairs. (See figure below.)
In simple terms, the attackers have built a way to quietly live within government web infrastructure, issue targeted data-gathering commands, and disappear without leaving obvious forensic traces.
What Makes This Discovery Significant
- Highly targeted espionage: The focus on foreign affairs, telecom, and defense networks indicates strategic intelligence objectives, not opportunistic cybercrime.
- Advanced concealment: NET-STAR’s memory-resident design, encrypted communications, and timestamp manipulation make it unusually hard to detect and investigate.
- Evolving tradecraft: The shift from email theft to database mining marks a new stage in espionage operations, showing intent to harvest curated, decision-level intelligence rather than bulk data.
- Infrastructure links: While Phantom Taurus shares some infrastructure traits with previously known Chinese espionage groups, its custom tooling and operational discipline mark it as a distinct new actor.
Broader Implications
The discovery of Phantom Taurus reinforces a critical pattern: state-aligned actors are refining their espionage playbooks for stealth, persistence, and specificity. Rather than targeting entire organizations, these campaigns increasingly pursue narrow, intelligence-rich data sets—diplomatic exchanges, policy drafts, or telecommunications metadata—often timed with geopolitical developments.
Unit 42’s analysis of Phantom Taurus not only documents the group’s operations but also provides actionable intelligence—ranging from network indicators to behavioral detection models—to help defenders identify and disrupt similar campaigns in their own environments.
Unit 42: Bringing together Threat Researchers
Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders and expert security consultants to create an intelligence-driven, response-ready organization that’s passionate about helping you proactively manage cyber risk. Together, the team serves as advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.
