A recent report released by Unit 42, the threat intelligence team of Palo Alto Networks, a leading American cybersecurity company, has unveiled the emergence of a previously undisclosed state-level hacker group from China called “Phantom Taurus.”
According to the report, over the past three years, this organization has been actively conducting cyber espionage operations targeting diplomatic departments, foreign embassies, and telecommunications units in various countries in the Middle East, Africa, and Asia. They have demonstrated a high level of stealth and long-term penetration capabilities.
The attacks by Phantom Taurus have been primarily focused on areas involving foreign affairs, geopolitics, and military activities. The sensitive information collected aligns closely with the economic and geopolitical interests of China, indicating clear intelligence intentions. These operations often coincide with major international events or regional security situations, highlighting their strategic significance.
Unlike previously known Chinese hacker groups such as “APT 27” (also known as Iron Taurus), “APT 41” (also known as Winnti), and “Mustang Panda,” Phantom Taurus stands out for its unique operational techniques and toolsets, showcasing a higher level of compartmentalization and concealment while utilizing familiar Chinese hacker infrastructure.
Originally documented by the cybersecurity community in 2023 under the identifier CL-STA-0043, Phantom Taurus was later classified under the codename “Operation Diplomatic Specter” due to its ongoing cyber espionage activities targeting government agencies.
The group initially focused on stealing government emails but has shifted towards directly infiltrating database systems since 2025. They use a specialized script called “mssq.bat” to connect to SQL servers and extract data from specific countries like Afghanistan and Pakistan.
This transition reflects an upgrade in tactics, allowing Phantom Taurus to access high-value intelligence more directly. In 2025, researchers officially recognized its scale and influence as sufficient to be classified as an independent state-level hacker organization.
Researchers revealed that Phantom Taurus developed a new set of malicious tools called “NET-STAR,” targeting Microsoft IIS servers commonly used by governments. This poses a serious threat to governments and diplomatic institutions.
According to the report, NET-STAR can operate discreetly without leaving file traces, executing database queries, file theft, and encrypted communication, making it extremely difficult to detect. One component can even bypass Windows system security measures, evading detection by antivirus software.
By conducting continuous tracking and analysis for several years, Palo Alto Networks confirmed that Phantom Taurus is an emerging advanced persistent threat (APT) group associated with China. The company has shared its findings with the nonprofit organization Cyber Threat Alliance (CTA) to enable members to quickly deploy protective measures for clients and systematically block malicious cyber attackers.
The report suggests that governments and telecommunications providers enhance monitoring and protection of database and IIS servers to safeguard against such covert attacks.
Established in 2005, Palo Alto Networks is headquartered in Santa Clara, California, and is a leading global cybersecurity company. Its main competitors include Fortinet, Check Point, and Cisco. In 2025, Palo Alto Networks made its debut on the Fortune 500 list, ranking 470th and becoming one of the few pure cybersecurity companies to enter the list.