Palo Alto Networks Reports Discovery of Phantom Taurus Cyber Group

Palo Alto Networks’ threat intelligence and incident response team, Unit 42, has uncovered a previously undocumented Chinese threat group, now touted as “Phantom Taurus.” Active for more than two years, the group has conducted targeted operations against ministries of foreign affairs, embassies, telecommunications providers, and other government-linked entities across Asia, the Middle East, and Africa.

Unit 42’s research indicates that Phantom Taurus is a China-nexus threat actor focused on long-term intelligence collection, rather than short-term disruption or financial gain. The group’s operations appear to align with broader geopolitical objectives, emphasizing data theft from high-value government systems and critical communications networks.

“Unit 42’s discovery of the Phantom Taurus threat group is a reminder of why ongoing investigation and open sharing of intelligence matter so much. When we understand how these actors operate, we can strengthen defenses before they strike; not scramble after the fact,” said Swapna Bapat, Vice President & Managing Director, India and SAARC, Palo Alto Networks. “Bringing threats like this into the open, takes away their greatest advantage — invisibility — helping us strengthen our collective defense in the process.”

A New Generation of Stealth and Precision

Unlike typical cyber-espionage groups that rely on widespread phishing or malware campaigns, Phantom Taurus operates with surgical precision. Recent activity shows a clear evolution: rather than broadly stealing email data, the group directly queries internal databases to extract only the most relevant intelligence — such as diplomatic communications or regional policy records.

To enable this, Phantom Taurus deploys a custom-built toolkit called NET-STAR, which targets Microsoft Internet Information Services (IIS) web servers — software commonly used by government portals and enterprise websites. The toolkit features fileless backdoors that live entirely in system memory, allowing attackers to blend in with legitimate network traffic and evade most detection tools.

In some cases, the attackers went a step further — remotely running a custom script on government database servers to search for documents and records referencing countries such as Afghanistan and Pakistan. Using a legitimate Windows administration tool to execute these searches, they demonstrated both technical sophistication and a clear intelligence focus on regional affairs. (See figure below.)

In simple terms, the attackers have built a way to quietly live within government web infrastructure, issue targeted data-gathering commands, and disappear without leaving obvious forensic traces.

What Makes This Discovery Significant

• Highly targeted espionage: The focus on foreign affairs, telecom, and defense networks indicates strategic intelligence objectives, not opportunistic cybercrime.
• Advanced concealment: NET-STAR’s memory-resident design, encrypted communications, and timestamp manipulation make it unusually hard to detect and investigate.
• Evolving tradecraft: The shift from email theft to database mining marks a new stage in espionage operations, showing intent to harvest curated, decision-level intelligence rather than bulk data.
• Infrastructure links: While Phantom Taurus shares some infrastructure traits with previously known Chinese espionage groups, its custom tooling and operational discipline mark it as a distinct new actor.