Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Phantom Taurus Operation Diplomatic Specter espionage campaign

Campaign
First reported
Last updated
Happening score
H score 36
2 unique sources, 2 articles

Summary

Hide ▲

The Phantom Taurus campaign, also tracked as CL-STA-0043 and TGR-STA-0043 under Operation Diplomatic Specter, is a China-linked espionage operation targeting government agencies, embassies, military operations, and other organizations across Africa, the Middle East, and Asia. Palo Alto Networks Unit 42 says the group favors direct attacks on high-value systems over broad phishing, has targeted vulnerable IIS Web servers and SQL Server databases, and uses mssq.bat to run queries against compromised systems. The campaign also uses a custom .NET malware suite NET-STAR, including the fileless backdoor IIServerCore and AssemblyExecuter v2 with AMSI and ETW bypass, to support long-term espionage and data theft.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

Open Happening

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Open Happening

Tropic Trooper trojanized SumatraPDF remote-access campaign

Campaign
First: 24.04.2026 12:29 Last: 24.04.2026 12:29 Sources 1

About this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...

Open Happening

Storm-1175 high-tempo Medusa ransomware campaign

Campaign
First: 07.04.2026 13:02 Last: 07.04.2026 13:02 Sources 1

About this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...

Open Happening

Timeline

  1. 30.09.2025 19:07 3 articles · 7mo ago

    Phantom Taurus campaign targets government and telecommunications organizations

    Campaign Scope Update

    Palo Alto Networks Unit 42 says Phantom Taurus, also tracked as CL-STA-0043 and TGR-STA-0043, has conducted espionage against government and telecommunications organizations across Africa, the Middle East, and Asia, with a focus on ministries of foreign affairs, embassies, defense-related intelligence, and military operations; the group has used custom NET-STAR malware against IIS web servers, shifted from email collection to SQL Server database targeting via WMI-executed scripts, and added IIServerCore, AssemblyExecuter V1, and AssemblyExecuter V2 with AMSI and ETW bypass.

    Show sources
    Open in new tab