New Chinese APT 'Phantom Taurus' Targets Global Geopolitical Intel with 'NET-STAR' Malware
China-Aligned 'Phantom Taurus' APT Group Linked to Long-Term Espionage Campaigns Against Government and Telecom Sectors
Related Entities
Threat Actors
Organizations
Products & Tech
Other
Full Report
Executive Summary
Security researchers have identified a new, highly sophisticated cyber-espionage group, Phantom Taurus, assessed to be aligned with the People's Republic of China (PRC). The group has been operational for at least two and a half years, engaging in long-term, stealthy campaigns aimed at intelligence collection. Its targets are primarily government ministries, military entities, and telecommunications providers in regions of strategic interest to China, including Africa, the Middle East, and Asia. Phantom Taurus employs a custom, previously undocumented malware suite named NET-STAR, which is specifically designed to compromise and persist on Microsoft Internet Information Services (IIS) web servers. The group's focus on long-term access, custom tooling, and strategic targeting distinguishes it as a significant and persistent threat, even though some of its infrastructure overlaps with other known Chinese APTs like APT27, Winnti, and Mustang Panda.
Threat Overview
Phantom Taurus is not a financially motivated group; its primary objective is cyber-espionage. The group's targeting profile and operational tempo closely mirror the PRC's geopolitical and economic objectives, with campaigns often coinciding with major international events. The group is characterized by its patience and focus on maintaining persistent, low-and-slow access to high-value networks.
Tactical Evolution
- Early Operations: Focused on targeted email theft from compromised servers.
- Recent Operations (since early 2025): Shifted tactics to directly targeting and exfiltrating data from databases, indicating a move towards more valuable, structured data.
NET-STAR Malware Suite
The group's primary tool is the NET-STAR malware, a modular framework for IIS servers. It provides capabilities for:
- Persistence: Installs as a malicious IIS module to ensure it survives reboots.
- Evasion: Includes functions to disable security monitoring and logging features on the host.
- Reconnaissance: Gathers information about the compromised system and network.
- Data Exfiltration: Provides a covert channel to exfiltrate stolen data.
Technical Analysis
The attack chain typically begins with the exploitation of vulnerabilities in public-facing web servers, particularly Microsoft IIS.
MITRE ATT&CK TTPs
T1190 - Exploit Public-Facing Application: The likely initial access vector, targeting vulnerabilities in IIS servers to deploy the NET-STAR malware.T1505.003 - Server Software Component: Web Shell: The NET-STAR malware functions as a persistent backdoor, similar to a sophisticated web shell or malicious IIS module.T1136.002 - Create Account: Domain Account: APTs often create new accounts to maintain persistence within a network.T1021.002 - Remote Services: SMB/Windows Admin Shares: Used for lateral movement after gaining an initial foothold.T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage: A common method for exfiltrating large volumes of data covertly.T1562.001 - Impair Defenses: Disable or Modify Tools: A known capability of the NET-STAR malware is to disable security monitoring.
Impact Assessment
The activities of Phantom Taurus pose a significant national security risk to the targeted countries. By stealing sensitive government, military, and telecommunications data, the group provides the PRC with strategic advantages in diplomatic negotiations, economic planning, and intelligence operations. The compromise of telecommunications providers is particularly damaging, as it can enable widespread surveillance. For private companies in these sectors, the theft of intellectual property and sensitive business data can result in substantial economic loss.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| process_name | w3wp.exe |
The IIS worker process. Monitor for this process spawning anomalous child processes (e.g., cmd.exe, powershell.exe) or making outbound connections to untrusted IPs. |
EDR, Sysmon Event ID 1 | high |
| file_path | C:\Windows\System32\inetsrv\ |
The default directory for IIS components. Monitor for new or modified DLLs in this directory, which could be the NET-STAR module. | File Integrity Monitoring (FIM) | high |
| log_source | IIS Logs |
Look for suspicious requests to the server that may indicate exploitation or C2 communication. Also, check for gaps in logging, which may indicate tampering. | SIEM, Log Analysis | medium |
| event_id | 5156 |
Windows Filtering Platform event ID that logs network connections. Monitor for w3wp.exe making connections to suspicious external IP addresses. |
Windows Security Event Log | medium |
Detection & Response
- IIS Hardening & Monitoring: Scrutinize IIS configurations. Use the
appcmd.exe list modulescommand to inspect for any non-standard or suspicious IIS modules. This is a form of D3FEND's Application Configuration Hardening. - Process Analysis: Implement D3FEND's Process Analysis (D3-PA) by baselining the normal behavior of the
w3wp.exeprocess and alerting on any deviations. - Network Traffic Analysis: Use D3FEND's Network Traffic Analysis (D3-NTA) to monitor all outbound traffic from IIS servers. Block and alert on any connections to known malicious infrastructure or destinations in China that are not expected.
Mitigation
- Patch Management: Keep all internet-facing systems, especially web servers like IIS, fully patched to prevent initial exploitation. This is D3FEND's Software Update (D3-SU).
- Network Segmentation: Isolate web servers in a DMZ, separate from the internal corporate network, to prevent lateral movement.
- Least Privilege: Ensure the service account running the IIS application pool has the minimum necessary permissions to function, limiting the attacker's capabilities post-compromise.
- Egress Filtering: Strictly control and monitor outbound network traffic from servers, allowing connections only to known-good destinations.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Keep IIS and the underlying Windows Server operating system fully patched to prevent initial compromise via known vulnerabilities.
Mapped D3FEND Techniques:
Run IIS application pools with low-privilege service accounts to limit the damage an attacker can do post-compromise.
Mapped D3FEND Techniques:
Filter Network Traffic
Implement strict egress filtering to block outbound connections from web servers to any destination not explicitly required for operation.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
To defend against threats like Phantom Taurus that target IIS, rigorous application hardening is paramount. This involves more than just patching. Security teams must conduct a thorough review of the IIS configuration to disable unused modules, remove default bindings, and configure request filtering to block known malicious patterns. A critical step is to regularly audit the loaded IIS modules (appcmd.exe list modules) against a known-good baseline to spot malicious additions like the NET-STAR malware. Furthermore, the IIS service account should be a low-privilege virtual account, not a domain user, to strictly limit its access to the file system and network resources, containing any potential breach.
A key element of the Phantom Taurus attack is long-term persistence and data exfiltration. Strict outbound traffic filtering (egress filtering) from the IIS server can break this chain. The server's firewall rules should be configured to deny all outbound connections by default. An explicit allowlist should then be created for only the essential connections the server needs to make (e.g., to a specific database server on a specific port, to a patch management server). This would prevent the NET-STAR malware from establishing a C2 channel or exfiltrating data to an arbitrary external IP address, effectively neutralizing the implant even if the initial compromise succeeds.
Detecting a sophisticated backdoor like NET-STAR requires deep process analysis on the IIS server. An EDR solution should be deployed to monitor the behavior of the w3wp.exe (IIS worker) process. A baseline of normal activity should be established. Alerts should be configured for any deviation, such as w3wp.exe spawning child processes like cmd.exe or powershell.exe, attempting to access sensitive files outside of the web root (e.g., SAM hive, LSASS memory), or making network connections to unusual IP addresses. This behavioral approach is critical for detecting in-memory threats and malicious modules that may not have a file-based signature.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats