Palo Alto Networks’ Unit 42 Uncovers Previously Undocumented Chinese Threat Group “Phantom Taurus”

• 14 Oct 2025
• TM Team
• 0 Comments

Palo Alto Networks’ threat intelligence and incident response team, Unit 42, has uncovered a previously undocumented Chinese threat group, now touted as “Phantom Taurus.” Active for more than two years, the group has conducted targeted operations against ministries of foreign affairs, embassies, telecommunications providers, and other government-linked entities across Asia, the Middle East, and Africa.

Unit 42’s research indicates that Phantom Taurus is a China-nexus threat actor focused on long-term intelligence collection, rather than short-term disruption or financial gain. The group’s operations appear to align with broader geopolitical objectives, emphasizing data theft from high-value government systems and critical communications networks.

“Unit 42’s discovery of the Phantom Taurus threat group is a reminder of why ongoing investigation and open sharing of intelligence matter so much. When we understand how these actors operate, we can strengthen defenses before they strike; not scramble after the fact,” said Swapna Bapat, Vice President & Managing Director, India and SAARC, Palo Alto Networks. “Bringing threats like this into the open, takes away their greatest advantage — invisibility — helping us strengthen our collective defense in the process.”

A New Generation of Stealth and Precision

Unlike typical cyber-espionage groups that rely on widespread phishing or malware campaigns, Phantom Taurus operates with surgical precision. Recent activity shows a clear evolution: rather than broadly stealing email data, the group directly queries internal databases to extract only the most relevant intelligence — such as diplomatic communications or regional policy records.

To enable this, Phantom Taurus deploys a custom-built toolkit called NET-STAR, which targets Microsoft Internet Information Services (IIS) web servers — software commonly used by government portals and enterprise websites. The toolkit features fileless backdoors that live entirely in system memory, allowing attackers to blend in with legitimate network traffic and evade most detection tools.

In some cases, the attackers went a step further — remotely running a custom script on government database servers to search for documents and records referencing countries such as Afghanistan and Pakistan. Using a legitimate Windows administration tool to execute these searches, they demonstrated both technical sophistication and a clear intelligence focus on regional affairs. (See figure below.)