From CL-STA-0043 to Phantom Taurus: Multi-Year Hunt Reveals New PRC Cyber Playbook

Phantom Taurus is assessed by Unit 42 as a PRC-aligned espionage threat actor with sustained operations against high-value targets. As Unit 42 states, “Phantom Taurus is a Chinese APT group that conducts long-term intelligence collection operations against high-value targets to obtain sensitive, non-public information.” Unit 42 reports victimology “targeting government and telecommunications organizations across Africa, the Middle East, and Asia,” noting that campaigns often align with regional flashpoints and diplomatic milestones. Unit 42 further observed “that the group takes an interest in diplomatic communications, defense-related intelligence and the operations of critical governmental ministries. The timing and scope of the group’s operations frequently coincide with major global events and regional security affairs.” The actor’s tooling includes a newly documented .NET suite dubbed NET-STAR, and the group’s lineage was matured from an activity cluster first published in June 2023 as CL-STA-0043, temporarily elevated in May 2024 (nicknamed Operation Diplomatic Specter), and now formally named after Unit 42 gained confidence through multi-year tracking.

Unit 42’s infrastructure analysis places Phantom Taurus within a Chinese APT ecosystem, observing overlap with nodes previously used by APT27, Mustang Panda, and the Winnti Group, alongside uniquely controlled assets reserved for its own operations. Tradecraft evolved over time: in 2023, tasking prioritized email theft from on-premises servers, while by 2025 operators pivoted to database collection at scale. A batch script named “mssq.bat” is executed remotely with “wmic” to authenticate to SQL servers (often as “sa”), run operator-supplied queries, and write results to CSV, enabling rapid, keyed extraction without interactive sessions. This hands-off approach fits the group’s long-dwell pattern by pushing collection into scheduled or remote-invoked jobs while minimizing noisy tooling. Unit 42 attributes these shifts to a focus on durable persistent access and curated collection aligned to PRC intelligence requirements.

NET-STAR expands the intrusion footprint inside Internet Information Services, with components designed to live in memory under the IIS worker process “w3wp.exe.” Initial foothold is achieved by uploading an ASPX web shell (e.g., “OutlookEN.aspx”) that unpacks and reflectively loads the backdoor; to reduce artifact visibility, Unit 42 notes the actor timestomped the ASPX to match an older server file and even altered compilation times of the binaries. The core module, “IIServerCore,” establishes an encrypted session, accepts STAR-delimited commands, and performs in-memory execution of payloads, including filesystem operations, SQL tasking, web-shell management, and “changeLastModified” for on-host timestomping. Two companion loaders, “AssemblyExecuter” V1 and V2—extend this model: V1 focuses on “Assembly.Load()” execution of arbitrary .NET assemblies with arguments, while V2 adds Antimalware Scan Interface and Event Tracing for Windows bypass routines that can be toggled by parameters. Together, these components support fileless command execution, encrypted C2, and modular tasking that keeps artifacts transient and reduces reliance on disk-resident tools, according to Unit 42.

Beyond server-side execution, Unit 42 ties Phantom Taurus to discovery and lateral movement patterns consistent with its collection aims and shared ecosystem tradecraft. The group mixes bespoke assets with common operator frameworks; telemetry revealed Impacket-style interactions for remote command execution, while lateral spread leverages web shells, authenticated service abuse, and scheduled invocations rather than noisy exploit chains. When databases are the objective, “mssq.bat” is launched with “wmic” against targeted instances, the query is fed on the command line, and output is exported to “.csv” for exfiltration. Persistence is maintained through IIS-resident components and timestomped web artifacts, with “IIServerCore” keeping follow-on code entirely in memory inside “w3wp.exe.” Unit 42’s assessment is that these choices reflect a program focused on durable access, curated exfiltration of diplomatic and defense-related data, and operational compartmentalization within infrastructure sometimes co-located with APT27, Mustang Panda, and Winnti, yet distinct enough to support the actor’s formal elevation to Phantom Taurus.