Phantom Taurus as a China-aligned espionage actor targeting government and telecoms
Threat Actor Meta
Summary
Hide ▲
Show ▼
Phantom Taurus has been formally classified by Palo Alto Networks Unit 42 as a China-aligned espionage actor targeting government agencies, embassies, military operations, and telecommunications organizations across Africa, the Middle East, and Asia. The group’s campaign has been tracked since June 2023 and was originally labeled CL-STA-0043 before later being identified as TGR-STA-0043 and Operation Diplomatic Specter. Unit 42 says the actor favors direct attacks on high-value systems rather than broad phishing, with a mission centered on collecting sensitive, non-public information tied to Chinese economic and geopolitical interests. Its tradecraft includes NET-STAR for IIS Web servers, IIServerCore, AssemblyExecuter v2 with AMSI and ETW bypass, and the use of mssq.bat to search SQL Server databases with previously obtained admin credentials.
Related Happenings
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Iranian MOIS Telegram malware campaign targeting opposition groups
Campaign
First: 23.03.2026 11:45
Last: 23.03.2026 11:45
Sources 1
About this happening:
The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
Iranian MOIS Telegram malware campaign targeting opposition groups
CampaignAbout this happening: The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionAbout this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
First: 24.02.2026 16:21
Last: 24.02.2026 16:21
Sources 1
About this happening:
The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
UAC-0050 spear-phishing campaign targeting European financial institutions
CampaignAbout this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
Timeline
-
30.09.2025 19:07 3 articles · 7mo ago
Phantom Taurus classification and tradecraft update
Attribution UpdatePalo Alto Networks Unit 42 classifies Phantom Taurus as a China-aligned threat actor targeting government and telecommunications organizations across Africa, the Middle East, and Asia for espionage. The group was first detailed as CL-STA-0043 in June 2023 and later graduated to TGR-STA-0043 last May after revelations about sustained espionage against governmental entities since at least late 2022 under Operation Diplomatic Specter. The assessment links Phantom Taurus to ministries of foreign affairs, embassies, defense-related intelligence, and military operations, and describes custom NET-STAR tooling for Internet Information Services (IIS) web servers, including IIServerCore, AssemblyExecuter V1, AssemblyExecuter V2, WMI-executed SQL Server database searches, AMSI and ETW bypass, and timestomping via changeLastModified.
Show sources
- Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware — thehackernews.com — 30.09.2025 19:07
- Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware — thehackernews.com — 30.09.2025 19:07
- New China APT Strikes With Precision and Persistence — www.darkreading.com — 01.10.2025 00:09