Redazione RHC : 2 October 2025 08:24
A new hacker group linked to the Chinese Communist Party has been identified by experts at Palo Alto Networks. Unit 42, the California-based company’s threat intelligence division, has released a report revealing the existence of “Phantom Taurus”, a state-run organization that has been engaged in cyber espionage against government and diplomatic institutions for years.
According to the document, over the past three years the group has conducted covert operations against foreign ministries, embassies and telecommunications companies in the Middle East, Africa and Asia .
The leaked information concerns geopolitical issues, foreign relations, and military activities, in line with the Chinese government’s strategic priorities . The attacks, often synchronized with international events or regional crises, confirm a clearly intelligence-driven objective.
Analysts compared Phantom Taurus to other well-known threat actors such as APT 27 (Iron Taurus), APT 41 (Winnti), and Mustang Panda. While using a common infrastructure with Chinese hackers, the group stands out with its customized tools and hard-to-detect techniques, achieving a more sophisticated level of stealth.
The group was first identified in 2023 under the identifier CL-STA-0043 and later associated with the operation “Diplomatic Specter.” Initially focused on email theft, since 2025 it has expanded its capabilities, targeting government databases directly.
Using a script called “mssq.bat,” hackers connected to SQL servers to extract information from countries such as Afghanistan and Pakistan , marking a clear escalation of their techniques.
Among the new findings, researchers have detected the development of a new malicious toolkit, dubbed “NET-STAR” , designed to compromise Microsoft IIS servers, often used by public administrations.
This tool enables file theft, database queries, and encrypted communications, with advanced features to avoid detection by security systems and antivirus software.
Palo Alto Networks, which shared the survey results with the Cyber Threat Alliance (CTA), emphasizes the urgent need to strengthen security systems, particularly monitoring IIS servers and databases, to prevent difficult-to-detect intrusions. The American company, founded in 2005 in Santa Clara and now a leading global cybersecurity player, entered the Fortune 500 list for the first time in 2025, at number 470.
Redazione