Suspected Chinese hackers have infiltrated the Microsoft Exchange email servers of foreign ministries across Africa, the Middle East, and Asia in a sophisticated, multi-year espionage operation. Researchers at Palo Alto Networks’ Unit 42 threat intelligence division revealed the discovery of Phantom Taurus, a previously undocumented nation-state actor conducting intelligence collection operations aligned with People’s Republic of China (PRC) state interests.
Unprecedented Access to Diplomatic Communications
The threat group successfully compromised email servers at multiple foreign ministries, granting attackers the ability to search for and exfiltrate sensitive diplomatic information. Unit 42 researchers, who have tracked this group for nearly three years, confirmed that the hackers maintained full access to search within email systems and specifically hunted for communications related to high-profile geopolitical events.
Senior Unit 42 researcher Lior Rochberger noted that attackers searched for specific diplomatic keywords tied to the China-Arab summit held in Riyadh, Saudi Arabia, in 2022. The hackers also targeted search terms associated with Chinese President Xi Jinping and his wife Peng Liyuan in connection to that summit. Rochberger stated that discovering the group searching for specific diplomatic keywords and then exfiltrating emails from embassies and military operations revealed this was a serious intelligence collection effort.
Advanced Persistent Threat with Distinctive Capabilities
Phantom Taurus distinguishes itself from other Chinese APT groups through its unique tactics, techniques, and procedures (TTPs) that enable highly covert operations and long-term access to critical targets. The group’s operations demonstrate stealth, persistence, and a rapid ability to adapt their approach when security measures are implemented.
Unit 42 originally began tracking this activity cluster as CL-STA-0043 in June 2023, promoting it to temporary group status TGR-STA-0043 with the nickname “Operation Diplomatic Specter” in May 2024. After sustained observation and intelligence collection, researchers accumulated sufficient evidence to classify the group as a distinct threat actor in September 2025.
Custom Malware Arsenal: The NET-STAR Suite
The investigation revealed a previously undocumented custom toolset in Phantom Taurus’ arsenal called NET-STAR, a sophisticated .NET malware suite designed to target Internet Information Services (IIS) web servers. The NET-STAR suite consists of three distinct web-based backdoors that operate fileless within IIS environments, demonstrating the group’s advanced evasion techniques and deep understanding of .NET architecture.
IIServerCore serves as the main modular backdoor, operating entirely in memory within the w3wp.exe IIS worker process. This component supports file system operations, database access, arbitrary code execution, web shell management, and Antimalware Scan Interface (AMSI) bypass functionality. All communications between the malware and command-and-control infrastructure utilize AES encryption, with payloads loaded directly into memory to avoid detection.
AssemblyExecuter V1 and V2 function as .NET malware loaders that execute additional payloads in memory without writing them to disk. The enhanced V2 variant includes dedicated methods for bypassing both AMSI and Event Tracing for Windows (ETW), allowing attackers to selectively disable security controls based on the target environment’s configuration.
Evolution in Attack Methodology
Unit 42’s continuous monitoring revealed a tactical evolution in early 2025, with Phantom Taurus shifting from email-centric operations to directly targeting databases. Researchers observed the group using a script named mssq.bat to connect to SQL Server databases, execute dynamic queries searching for specific keywords, and export results to CSV files. The threat actor used this method to search for documents related to specific countries including Afghanistan and Pakistan.
Strategic Targeting and Attribution
Phantom Taurus primarily focuses on ministries of foreign affairs, embassies, geopolitical events, and military operations. The targeting patterns align consistently with PRC economic and geopolitical interests, with operations frequently coinciding with major global events and regional security affairs.
Unit 42 established attribution through comprehensive analysis using the Diamond Model framework, examining infrastructure, victimology, and capabilities. The group utilizes shared Chinese APT operational infrastructure exclusively used by Chinese threat actors including Iron Taurus (APT27), Starchy Taurus (Winnti), and Stately Taurus (Mustang Panda). However, specific infrastructure components used by Phantom Taurus have not been observed in operations by other threat actors, indicating operational compartmentalization within this shared ecosystem.
Geographic Scope and Victim Profile
While Unit 42 declined to identify specific affected countries, the campaign has targeted government and telecommunications organizations across Africa, the Middle East, and Asia. The threat group specifically focuses on organizations with access to sensitive, non-public information related to diplomatic communications and defense-related intelligence. Regions including Afghanistan, Pakistan, and various Middle Eastern countries remain areas of strategic interest.
Detection and Mitigation Challenges
Phantom Taurus employs sophisticated evasion techniques that enable the group to maintain access for extended periods without detection. In one incident response case, Unit 42 discovered access dating back almost two years, demonstrating the group’s capability for sustained, opportunistic intelligence collection. The threat actor actively uses timestomping to change file timestamps and confuse security analysts and digital forensics tools.
Assaf Dahan, director of threat research at Palo Alto Networks’ Cortex unit, emphasized that the group uses distinct homegrown malware and backdoors that set them apart from other Chinese threat groups. This combination of sophisticated, adaptive TTPs and clear strategic objectives poses a direct risk to organizations with international operations or government affiliations.
Chinese Government Response
Liu Pengyu, spokesperson for the Chinese Embassy in Washington, responded that hacking is a problem for all countries, including China, and that the government opposes all forms of cyberattacks. This statement follows the pattern of Chinese government denials regarding state-sponsored cyber espionage operations.
Broader Context
The discovery of Phantom Taurus underscores the expanding scope of China’s offensive espionage operations globally. The sophisticated nature of this multi-year campaign demonstrates the persistent threat that advanced nation-state actors pose to diplomatic and government entities worldwide.
Protecting Microsoft Exchange servers and associated systems requires a multi-layered security approach. Organizations should prioritize keeping Exchange server software fully updated with the latest security patches to mitigate known vulnerabilities.
Fortify Your Server with Messageware Security
Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.
Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.
EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.