Palo Alto Networks spots new China espionage group showcasing advanced skills
An elusive, persistent, newly confirmed China espionage group has hit almost 10 victims of geopolitical importance in the Middle East, Africa and Asia using specific tactics and extreme stealth to avoid detection, according to Palo Alto Networks’ Unit 42.
Phantom Taurus uses tools and a distinct homegrown set of malware and backdoors that sets them apart from other China threat groups, said Assaf Dahan, who’s led an investigation into the group since 2022 as director of threat research at Palo Alto Networks’ Cortex unit.
The discovery of an undocumented threat group conducting long-term intelligence-gathering operations aligned with Beijing’s interests underscores the spread of China’s offensive espionage operations globally. Roughly 3 in 4 nation-state threats originate from or are operating on behalf of the Chinese government’s interests, Dahan told CyberScoop.
Unit 42 did not name Phantom Taurus’ victims but said the group has infiltrated networks operated by ministries of foreign affairs, embassies, diplomats and telecom networks to steal sensitive and timely data around major summits between government leaders or political and economic events.
Phantom Taurus seeks sustained access to highly targeted networks so it can periodically and opportunistically steal data they want at any time. Unit 42 researchers responded to one case involving access going back almost two years, Dahan said.
The threat group remains active and has expanded its scope over time by targeting more organizations. “The latest activity was just a couple of months ago when we saw them highly active in at least two regions of the world,” Dahan said.
Unit 42 expects more victims to be identified as a result of its report, which includes details about the group’s specialized malware, indicators of compromise and tactics, techniques and procedures.
Phantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors. These backdoors support in-memory execution of command-line arguments, arbitrary commands and payloads, and the loading and execution of .NET payloads with evasive capabilities designed to avoid detection in more heavily monitored environments, according to Unit 42.
“These pieces of malware are designed for extreme stealth, allowing them to operate clandestinely, under the radar, and infiltrate into really sensitive organizations,” Dahan said. While Phantom Taurus uses some infrastructure and tools that are commonly shared among multiple Chinese espionage groups, Unit 42 isn’t aware of any other groups using the suite of specialized malware.
The group most often breaks into networks by locating internet-facing devices that can be exploited via known vulnerabilities, Dahan said. “The level of sophistication that we’ve seen from this group is really off the charts. But when it comes to how they actually put a foot in the door, it’s as basic as exploiting an unpatched server most of the time,” he added.
Phantom Taurus’ tools, capabilities, targets and other fingerprints left behind by its activities gives Unit 42 confidence the group is unique and does not overlap with a group previously identified by other research firms.
“Their entire playbook seems distinct and quite apart from other Chinese threat actors,” Dahan said. “It’s not something that you can mistake for another group.”
