TZUTC: -0500
MSGID: 1547.consprcy@1:2320/105 2d43c9f6
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Chinese hackers hit government systems, stealing emails and more - here's 
what we know

Date:
Wed, 01 Oct 2025 12:02:00 +0000

Description:
Say hi to Phantom Taurus - a newly discovered Chinese state-sponsored
cyberespionage group.

FULL STORY

Chinese state-sponsored threat actors named Phantom Taurus have been seen
targeting email communications and databases belonging to different countries
in the Middle East and South Asia with brand new malware . 

Security researchers from Unit 42 have been tracking the threat actor for
years, and have come to the conclusion the attackers were sponsored by China,
based on a combination of technical indicators, targeting patterns, and
strategic alignment. 

The experts observed the group targeting ministries of foreign affairs,
embassies, and government entities, all typical victims of nation-state
intelligence operations.

Sharing infrastructure 

The group also used custom backdoor malware called NET-STAR which was
sophisticated in the way only a nation-state could develop. 

The NET-STAR malware suite demonstrates Phantom Taurus advanced evasion
techniques and a deep understanding of .NET architecture, representing a
significant threat to internet-facing servers, the researchers explained. 

Phantom Taurus also apparently shares infrastructure, malware traits, and
tactics with known Chinese APTs, particularly BackdoorDiplomacy. C2 domains,
malware loaders, and similar spear-phishing techniques, all made Unit 42
deduce Phantom Taurus was a Chinese actor. 

They have now placed it next to other tauruses - Iron Taurus, Starchy Taurus,
and Stately Taurus. The latter is also known as Mustang Panda and is a widely
known threat actor, who was seen targeting Microsoft tools, cloud services,
and more. 

Unfortunately, we dont know exactly how Phantom Taurus infects its victims
with NET-STAR. We can only assume it includes the usual tactics such as
spear-phishing or zero-day vulnerability abuse. We do know, however, that its
victims are located in Afghanistan and Pakistan. 

China, as usual, denies any wrongdoing or any involvement in cyberattacks or
cyber-espionage, and instead accuses the United States of being the worlds
biggest cyber-bully. 

 Via The Register

======================================================================
Link to news story:
https://www.techradar.com/pro/security/chinese-hackers-hit-government-systems-
stealing-emails-and-more-heres-what-we-know

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426