Government and telecommunications organizations across Africa, the Middle East, and Asia have emerged as the target of a previously undocumented China-aligned nation-state actor dubbed Phantom Taurus over the past two-and-a-half years.
“Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events, and military operations,” Palo Alto Networks Unit 42 researcher Lior Rochberger said. “The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence, and an ability to quickly adapt their tactics, techniques, and procedures (TTPs).”
It’s worth pointing out that the hacking group was first detailed by the cybersecurity company back in June 2023 under the moniker CL-STA-0043. Then last May, the threat cluster was graduated to a temporary group, TGR-STA-0043, following revelations about its sustained cyber espionage efforts aimed at governmental entities since at least late 2022 as part of a campaign codenamed Operation Diplomatic Specter.
Unit 42 said its continued observation of the group yielded enough evidence to classify it as a new threat actor whose primary goal is to enable long-term intelligence collection and obtain confidential data from targets that are of strategic interest to China, both economically and geopolitically.
“The group takes an interest in diplomatic communications, defense-related intelligence and the operations of critical governmental ministries,” the company said. “The timing and scope of the group’s operations frequently coincide with major global events and regional security affairs.”
This aspect is particularly revealing, not least because other Chinese hacking groups have also embraced a similar approach. For instance, a new adversary tracked by Recorded Future as RedNovember is assessed to have targeted entities in Taiwan and Panama in close proximity to “geopolitical and military events of key strategic interest to China.”
Phantom Taurus’ modus operandi also stands out due to the use of custom-developed tools and techniques rarely observed in the threat landscape. This includes a never-before-seen bespoke malware suite dubbed NET-STAR. Developed in .NET, the program is designed to target Internet Information Services (IIS) web servers.
That said, the hacking crew has relied on shared operational infrastructure that has been previously employed by groups like AT27 (aka Iron Taurus), APT41 (aka Starchy Taurus or Winnti), and Mustang Panda (aka Stately Taurus). Conversely, the infrastructure components used by the threat actor have not been detected in operations carried out by others, indicating some sort of “operational compartmentalization” within the shared ecosystem.
The exact initial access vector is not clear, but prior intrusions have weaponized vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers, abusing flaws like ProxyLogon and ProxyShell,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
