Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite unit42.paloaltonetworks.com/phantom-t…

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.

Our observations show that Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events and military operations. The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs).

What sets Phantom Taurus apart from other actors in the Chinese advanced persistent threat (APT) nexus is its distinctive set of TTPs. These enable the group to conduct highly covert operations and maintain long-term access to critical targets. This article sheds more light on the threat actor’s recently observed TTPs and reveals a previously undocumented custom tool in Phantom Taurus’ arsenal called NET-STAR.

After sustained observation and intelligence collection over the past year, we have accumulated sufficient evidence to classify the temporary group as a new threat actor. Our attribution and cluster maturation process is based on Unit 42’s attribution framework. Figure 1 shows the process of promoting Phantom Taurus from a cluster of activity to a formally named threat actor.