Find notable cyber news and cases, enriched with sources, timelines, and signals.

Phantom Taurus Operation Diplomatic Specter espionage campaign

Campaign
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

The Phantom Taurus campaign, also tracked as CL-STA-0043 and TGR-STA-0043 under Operation Diplomatic Specter, is a China-linked espionage operation targeting government agencies, embassies, military operations, and other organizations across Africa, the Middle East, and Asia. Palo Alto Networks Unit 42 says the group favors direct attacks on high-value systems over broad phishing, has targeted vulnerable IIS Web servers and SQL Server databases, and uses mssq.bat to run queries against compromised systems. The campaign also uses a custom .NET malware suite NET-STAR, including the fileless backdoor IIServerCore and AssemblyExecuter v2 with AMSI and ETW bypass, to support long-term espionage and data theft.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
H score37 First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
H score28 First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
H score39 First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Tropic Trooper trojanized SumatraPDF remote-access campaign

Campaign
H score34 First: 24.04.2026 12:29 Last: 24.04.2026 12:29 Sources 1

About this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Timeline

  1. 30.09.2025 19:07 3 articles · 9mo ago

    Phantom Taurus campaign targets government and telecommunications organizations

    Campaign Scope Update

    Palo Alto Networks Unit 42 says Phantom Taurus, also tracked as CL-STA-0043 and TGR-STA-0043, has conducted espionage against government and telecommunications organizations across Africa, the Middle East, and Asia, with a focus on ministries of foreign affairs, embassies, defense-related intelligence, and military operations; the group has used custom NET-STAR malware against IIS web servers, shifted from email collection to SQL Server database targeting via WMI-executed scripts, and added IIServerCore, AssemblyExecuter V1, and AssemblyExecuter V2 with AMSI and ETW bypass.

    Show sources