CyberWire Daily - China’s stealthiest spy operation yet. [Research Saturday]
Episode Date: October 4, 2025Assaf Dahan, Director of Threat Research, Cortex XDR, at Palo Alto Networks, discussing Phantom Taurus, a new China APT uncovered by Unit 42. Unit 42 researchers have identified Phantom Taurus, a newl...y designated Chinese state-aligned APT conducting long-term espionage against government and telecommunications organizations across Africa, the Middle East, and Asia. Distinguished by its stealth, persistence, and rare tactics, the group has recently shifted from email-focused data theft to directly targeting databases and deploying a powerful new malware suite called NET-STAR, designed to compromise IIS web servers and evade detection. This suite, featuring modular, fileless backdoors and advanced evasion capabilities, marks a significant evolution in Phantom Taurus’ operations and underscores the group’s strategic intelligence-gathering objectives. The research can be found here: Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasec AI conference,
the premier event for cybersecurity data and AI leaders,
hosted by data security leader, Sierra, built for the industry by the industry by the
the industry, this two-day conference is where real-world insights and bold solutions take
center stage. Datasec AI 25 is happening November 12th and 13th in Dallas. There's no cost to
attend. Just bring your perspective and join the conversation. Register now at Datasek AI
2025.com backslash cyberwire.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So Phantom Taurus is a newly identified, what we call,
a state-sponsored Chinese espionage group.
And what really sets them apart from other APT groups
is the large-scale intelligence collection activity
that we've been observing.
So they mainly target governments, embassies,
ministries of foreign affairs and defense sectors.
That's Asaf Dahan, Director of Threat Researcher at Palo Alto Networks.
The research we're discussing today is about Phantom Taurus.
a new China APT uncovered by Unit 42.
We've seen them in a number of geographies
spanning from Africa, the Middle East, and Asia.
And yeah, so it's pretty vast
in terms of who they target,
the level and the scale
of their intelligence collection efforts.
And also, it's not every day that we get to uncover a brand new,
what we call a top-tier APT.
So most of the time that when we're tracking, I guess,
cyberactivity or malicious, nefarious cyber activity,
we usually can attribute the activity to known groups.
And today we pretty much came out and revealed a new group that has not been known to the public before.
So it's a big deal on our end.
Yeah.
Well, how do you suppose that Phantom Taurus fits into the broader landscape of Chinese state-aligned threat activity?
So when it comes to Phantom Taurus, the way we characterize the group is a group that is focused mainly.
on intelligence collection or intelligence gathering.
There are multiple facets and multiple groups operating on behalf of Chinese state interests.
Some of them maybe would go after technological or, I guess, aspects or go after intellectual property, for instance.
Some would try to spy on friends and foes, right?
And so they really fit into the more traditional side of the spying games, if you will.
So they go after governments, embassies, foreign ministries.
So the targeting tends to be very geopolitical and with some economic sides as well, but mostly geopolitical.
So when it comes to their targeting, as I mentioned, I think this is why it's such an exciting or at least interesting type of threat actor is that the correlation with geopolitical events was pretty striking.
So we would see them operating in certain networks, let's say a month or two before a major, let's say, conference or a summit.
or a summit or an important meeting between two statesmen, right?
Whether it's their friends or their foes,
you'd see them really spying on the people that they're interacting with.
So we thought it was pretty interesting.
Well, let's stick into some of their tactics and capabilities here.
Is there anything that stands out about their tactics, techniques, and procedures?
compared to some of the other Chinese APT groups
we're used to seeing out there?
Yeah, so there are actually a number of things
that we've noticed
and really set them apart from other threat actors.
So first and foremost, I think it's their level of persistence
and they're quite tenacious, right?
They put the P and APT, as we like to say
when it comes to persistence.
You know, most groups, you know, when they get caught or when the operation is blown,
they all try to, you know, stay away, like hide for a bit, regroup and then come back after a few
months, a few years.
We've seen them coming back in a matter of days, sometimes hours.
So they're really persistent.
you could see the level of commitment, if you will, that they have for getting the intelligence that they're after.
So, like, very persistent group.
They have, like, their own homegrown tools.
So, like, they don't use, like, the generic tools that we've come to seen and known.
and they do develop their own malware and their own tools,
which are quite sophisticated, state-of-the-art tools.
We have the Net Star Suite that we just discovered,
and prior to that there was the Specter malware suite.
And they are really well-engineered, designed for extra stealth,
And we haven't observed these type of tools being used anywhere else or by any other threat actors.
So that's also what makes them special.
And when it comes to their techniques or tactics, what is interesting to see is that they are not the sort of a threat actor that goes after individuals so much.
in terms of like we haven't seen spearfishing
or elaborate social engineering attacks.
They are like their hallmark activities
is going after vulnerable infrastructures.
So they go straight to the Jagular
or they go straight to the crown jewels,
be it database servers, email exchange servers.
So instead of like trying to target an individual,
let's say the prime minister,
or a minister of a said country,
they'll go for the main server of the Ministry of Foreign Affairs,
and so they can have access to diplomatic cables, correspondence,
and other type of sensitive documents and information.
One of the things I noted in the research is you highlight how the group's data collection strategies
have evolved over time.
You point out them shifting from email servers to databases, for example.
That is correct.
And again, I don't think it's necessarily mutually exclusive either or.
I think that they can still do both.
But we have noticed that in the last year,
they haven't been targeting exchange servers or email servers as much as they used to.
And most of their current activity revolves around.
trying to get into databases,
really back-end databases which kind of aggregate
or have or contain so much more information
than just email correspondences, if that makes sense.
So it's really about they're looking for, I guess,
in a sense you can say that they're looking for a good ROI.
So where they can find the most,
where they can get the most buck for their,
bang for buck, what's the expression?
Yeah, bang for the book.
Yeah, exactly.
Like, how can they get their hands on as much information
with the least effort?
We'll be right back.
And now, a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function.
shut out cybercriminals with world-class endpoint protection from threat locker.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
Well, can you take us behind the scenes a little bit of your own process?
I mean, how did you and your colleagues determine that this was a distinct new actor rather
than activity from an existing group?
Wow, it's a really good question.
It's been two and a half years of really, it's been, it's been.
a journey, two and a half years of investigative work, because when we first started observing
this activity, we didn't know what we were looking at. We tried to characterize it. So the first
process was understanding, or at least try to understand the motivation and the playbook of
the attackers. And quickly, and we quickly realized,
okay, these guys are not there for financial motivation.
It's not a ransom group.
So what we could glean from their activities was that they were really after collecting information or stealing information.
So we quickly understood that we're looking at an espionage group.
Okay, that's fine, but there are dozens, if not hundreds of APT groups operating.
in the sphere, not just Chinese.
You have like so many other countries
spying on each other.
And then we started collecting
a lot of data points and
connecting the dots.
Slowly but surely,
we were able to
cope it better
and to notice patterns
in their activity
that
coincided or
like a point of
us to the conclusion that we're looking at a
probably looking at a Chinese threat actor.
And then we, over the course of two and a half years,
we implemented our attribution methodology,
which is a long-term, it's based on a long-term
monitoring of a given activity or a threat actor.
So we started with a cluster,
without assigning any attribution.
saying, hey, we are noticing an activity that is repeated in different regions of the world on different organizations.
And we started clustering it. Then, after a year of monitoring this activity, we had enough evidence and enough data to elevate it to a temporary group.
Now we were able, with all the information that we were able to collect for over a year,
we were able to say, hey, this looks like a Chinese activity.
We still don't know if it's a new group or if it's like a spinoff or like a subgroup of a known group.
But what we do see here is a really distinct activity repeated patterns that we're not able to tie to any other.
sort of activity that we're seeing, and we're tracking and monitoring over 20 APT groups,
just like coming from China. And nothing really stuck. We really tried to do these matchings
and clustering. And after two and a half years of like reviewing, carefully reviewing the
information again and again and again and trying to really look for any connection
for any known groups
we were not able to find
such groups and that's why
we were pretty confident
in coming up with a new threat actor
as threat intelligence or threat researchers
we are probably the last people
who want to throw a new name
into the already growing pile
or make some threat actors
it's not something that we like to do
but we really took a lot of time and effort
to make sure that this is a new threat actor
and we're not just like adding a new name to the pile.
Well, I mean, you talk about Phantom Taurus's persistence.
It sounds to me like you and your colleagues
had to have a certain amount of persistence yourselves.
Yes, it did become a bit of a baby project
for some of the team,
especially a researcher called Leo Rockberger.
She was the main force behind the investigation.
She led the investigation.
She's currently honeymoaning, so that's why she's not on the call.
But she was the main researcher.
There were other collaborations with other researchers,
but she was the main speedboat.
and she's an extremely persistent researcher
and an extremely capable one.
You speak to an interesting aspect here,
which is I think it's important,
my perception anyway, and correct me if I'm wrong,
is that it's important that groups like yours
have the leeway to chase down these sorts of things.
And they might not always pay off,
but in this case it seems like it did.
But that's part of the culture of your research organization.
That is correct.
I mean, and you have to understand that our research is not done for academic purposes, right?
The reason that we invest so much in tracking those, like the various groups that we're tracking,
the cybercrime or nation-state threat actors, is that at the end of the day,
our entire research is being translated to actionable intelligence.
And namely, it helps us, a, feed our product,
making sure that we have all the right IOCs
and all the right identifiers,
you know, be to malware hashes, domains, IPs
for a given threat, but more than that,
it's really about when you monitor threat actors so closely,
you get to learn their MO and you learn how we
quickly start to learn how they think and how they react and you can anticipate their next
moves. All of this knowledge and insights, we try to bake it into the product, trying to come up
with behavior rules and try to come up with train our machine learning algorithms for detection
and prevention.
So that's why it really pays off to track these threat actors and group for a long time.
Well, what are the takeaways here when we're speaking to defenders and security teams who are
checking out your research?
What do you hope they come away with here when it comes to Phantom Taurus?
I think, I mean, it's going to sound a bit like a cliche, but it's still, it is still
true.
I think that one of the reasons that Phantom Taurus was able to penetrate so deep into so many
organizations has to do with the more trivial stuff rather than like fancy zero days or
like fancy exploits.
the root cause of 90% of their success in penetrating organizations
has to do with patch management or lack thereof,
outdated versions on patched servers.
And I think it's, I'm not going to say anything that will shock.
I think the audience
but I think
good IT hygiene
will
it goes a long way
and again I'm not saying that
a skilled and highly motivated
threat actor would not find a way
to circumvent or bypass
things or even like use
like heavier exploits like zero
days and such to get to
where they need to get
But sometimes it seems like almost too easy because the servers or like some or internet facing systems are not guarded enough, be it with having sufficient security tools and mitigations put in place.
And also, yeah, as I mentioned, like the outdated systems.
Our thanks to Asof Dahan from Palo Alto Networks for joining us.
The research is about Phantom Taurus, a new China APT uncovered by Unit 42.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here.
next time.
trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing
tomorrow's technology. In the afternoon, the eighth annual Data Tribe Challenge takes center stage
as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day
connecting founders, investors, and researchers around breakthroughs in cybersecurity. It all happens
November 4th in Washington, D.C.
Discover the startups
building the future of cyber.
Learn more at cid.dotribe.com.