Espionage hackers aligned with China are targeting foreign ministries, embassies and telcos across Africa, the Middle East, and Asia, researchers have found.

Palo Alto Network’s Unit 42 has been observing a previously undocumented nation-state hacking group that it dubbed Phantom Taurus targeting government and telecommunications organizations with the goal of obtaining information connected to geopolitical events and military operations. The group has been operating for about two-and-a-half years. 

Unit 42 said Phantom Taurus stood out because of the distinctive tactics used to conduct “highly covert operations and maintain long-term access to critical targets.”

The company has been tracking the group’s activity since June 2023, observing a trail of attacks that allowed hackers to obtain sensitive, non-public information from multiple governments. 

The hackers target technology providers to government entities, allowing them to pilfer diplomatic communications, defense-related intelligence and the operations of critical governmental ministries.

Unit 42 found that the timing of cyberattacks launched by the group typically lined up with major global events or regional incidents. The researchers did not say which countries were targeted.

NET-STAR malware

Phantom Taurus has been seen using operational infrastructure used by other known Chinese groups like APT27, Winnti, and Mustang Panda. But Phantom Taurus has separated itself from other Chinese espionage groups by using a new suite of malware and employing comparatively more evolved tactics, according to Unit 42. 

They have deployed a mix of commonly used Chinese malware like China Chopper while also using new customized hacking tools the researchers named NET-STAR. 

The group has evolved in the last two years, moving from targeting emails held within servers to now stealing full databases of information. 

Much of Unit 42’s report focuses on the new suite of malware designed to target Internet Information Services (IIS) web servers — software from Microsoft used for hosting material online. 

The NET-STAR malware “demonstrates Phantom Taurus’ advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers.”

The suite consists of three backdoors that each serve different roles in the attack chain, allowing the hackers to access databases, evade antivirus solutions, and more. One script used for stealing databases was deployed in attacks targeting information on Afghanistan and Pakistan.

Lauren Rucker, a cybersecurity expert at Deepwatch, said the NET-STAR tools are exceptionally difficult to detect because the malware “leaves no footprint for traditional antivirus to find and was designed to actively blind modern security solutions like [Endpoint Detection and Response] by disabling critical Windows security monitoring features.”

Chinese APT groups have long targeted foreign ministries and embassies in a variety of ways over the last decade. 

In addition to longstanding attacks on U.S. diplomats, Chinese groups have been accused of attacking governments and embassies in Sweden, France, the U.K., Ukraine, Hungary, Singapore, the Czech Republic, Japan, Lithuania, multiple Southeast Asian countries and several Pacific islands.