CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Phantom Taurus Targets Government and Telecommunications Organizations

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Government and telecommunications organizations in Africa, the Middle East, and Asia have been targeted by a China-aligned nation-state actor known as Phantom Taurus over the past two-and-a-half years. The group focuses on espionage, targeting ministries of foreign affairs, embassies, geopolitical events, and military operations. Phantom Taurus employs custom-developed tools and techniques, including a bespoke malware suite named NET-STAR, to maintain long-term intelligence collection and obtain confidential data from targets of strategic interest to China. The group's activities coincide with major global events and regional security affairs, demonstrating stealth, persistence, and adaptability in their tactics, techniques, and procedures (TTPs). Phantom Taurus has been observed using a .NET malware suite named NET-STAR to breach IIS web servers, which operates almost entirely in memory and includes a fileless backdoor that establishes encrypted command-and-control (C2) sessions. The suite includes a backdoor named IIServerCore that accepts commands and encoded .NET payloads, enabling arbitrary code execution on compromised systems. The suite also includes two AssemblyExecuter loaders (v1 and v2) that allow dynamic loading of additional .NET malware, with v2 featuring advanced evasion techniques such as AMSI and ETW bypass. The group uses custom SQL queries to search for specific tables and keywords on compromised systems, exporting all matching results. Additionally, Phantom Taurus's operational methods are supported by other custom malware, including TunnelSpecter and SweetSpecter, which are used for email exfiltration.

Timeline

  1. 30.09.2025 19:07 2 articles · 7d ago

    Phantom Taurus Targets Government and Telecommunications Organizations

    Over the past two-and-a-half years, Phantom Taurus has targeted government and telecommunications organizations in Africa, the Middle East, and Asia. The group, which focuses on espionage, has employed custom-developed tools and techniques, including the NET-STAR malware suite, to maintain long-term intelligence collection. Their activities coincide with major global events and regional security affairs, demonstrating stealth, persistence, and adaptability in their tactics, techniques, and procedures (TTPs). The group uses a .NET malware suite named NET-STAR to breach IIS web servers, which operates almost entirely in memory and includes a fileless backdoor that establishes encrypted command-and-control (C2) sessions. The suite includes a backdoor named IIServerCore that accepts commands and encoded .NET payloads, enabling arbitrary code execution on compromised systems. The suite also includes two AssemblyExecuter loaders (v1 and v2) that allow dynamic loading of additional .NET malware, with v2 featuring advanced evasion techniques such as AMSI and ETW bypass. The group uses custom SQL queries to search for specific tables and keywords on compromised systems, exporting all matching results. Additionally, Phantom Taurus's operational methods are supported by other custom malware, including TunnelSpecter and SweetSpecter, which are used for email exfiltration.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Confucius Targets Pakistan with WooperStealer and Anondoor Malware

The threat actor Confucius has launched a new phishing campaign targeting Pakistan, deploying WooperStealer and Anondoor malware. The campaign has targeted government agencies, military organizations, defense contractors, and critical industries since at least December 2024. The attacks use spear-phishing and malicious documents to deliver malware that steals sensitive data and exfiltrates device information. Confucius has shifted from document-focused stealers to more advanced Python-based backdoors like Anondoor, which provides long-term persistence and command execution capabilities. The group employs DLL side-loading, obfuscated PowerShell scripts, scheduled tasks, and stealthy exfiltration routines to achieve persistence and evade detection. Anondoor is capable of full host profiling, collecting system details, geolocating public IPs, and inventoring disk volumes before receiving tasking from its command-and-control (C2) servers.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. The UAT-8099 group, similar to GhostRedirector, hijacks IIS servers to funnel mobile search engine traffic to spam advertisements and illegal gambling websites. The group targets servers in Brazil, Canada, India, Thailand, and Vietnam, using open-source web shells for initial access and privilege escalation. UAT-8099 installs the BadIIS module to intercept and manipulate HTTP traffic for SEO poisoning and malicious redirects. The attackers use BadIIS to serve SEO terms to search engine crawlers and redirect human visitors to scam websites. UAT-8099 deploys a Cobalt Strike backdoor to maintain persistent access and exfiltrate sensitive data. The group's activities are often undetected by the targeted organizations due to the stealthy nature of the attacks. Cisco Talos has detailed the full attack chain and additional findings relating to the UAT-8099 campaign, identifying several new BadIIS malware samples with altered code structures to evade detection. The group uses SoftEther VPN, EasyTier, and the FRP reverse proxy tool for persistence and deploys defense mechanisms to secure their foothold. The UAT-8099 group was first discovered in April 2025 and primarily targets mobile users, including both Android and Apple iPhone devices. The group uses the Everything tool to search for valuable data within compromised hosts. BadIIS operates in three modes: Proxy, Injector, and SEO fraud. BadIIS uses backlinking to boost website visibility and rankings.

Open in new tab

TA415 (APT41) Abuses Velociraptor Forensic Tool for C2 Tunneling via Visual Studio Code

Unknown threat actors, identified as TA415 (APT41), deployed the open-source Velociraptor forensic tool to download and execute Visual Studio Code, likely for command-and-control (C2) tunneling. The attack leveraged legitimate software and Windows utilities to minimize malware deployment and maintain a foothold in the target environment. The attackers used Cloudflare Workers domains for staging and additional payloads, and the incident highlights the evolving tactics of threat actors using legitimate tools for malicious purposes. The attack began with the use of the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain. Velociraptor was then used to establish contact with another Cloudflare Workers domain, facilitating the download and execution of Visual Studio Code with tunneling capabilities. This allowed for remote access and code execution, potentially leading to further malicious activities such as ransomware deployment. The phishing campaign targeted US government, think tank, and academic organizations involved in US-China relations, economic policy, and international trade. The attackers impersonated the US-China Business Council and John Moolenaar, Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party. The phishing messages contained links to password-protected archives hosted on cloud services, which included a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script that downloaded the VSCode Command Line Interface (CLI) from Microsoft’s servers, created a scheduled task for persistence, and established a VS Code remote tunnel authenticated via GitHub. The script also collected system information and the contents of various user directories, sending it to the attackers. The script sent a VS Code remote tunnel verification code, allowing the attackers to access the victim’s computer remotely and execute arbitrary commands. The incident underscores the importance of monitoring for unauthorized use of legitimate tools and implementing robust endpoint detection and response systems to mitigate such threats.

Open in new tab

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. In September 2025, new information revealed that the PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware. Bookworm has been used since 2015 and includes capabilities to execute commands, upload/download files, exfiltrate data, and establish persistent access.

Open in new tab