APT Espionage Group “Phantom Taurus” Deploys NET-STAR To Compromise IIS and Exfiltrate SQL Data
October 15th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring a newly discovered advanced persistent threat (APT) group, “Phantom Taurus,” which has been observed deploying a custom malware toolkit known as NET-STAR. Active since at least 2022, this group targets foreign ministries, embassies, telecommunications providers, and government entities across Asia, the Middle East, and Africa. They use compromised servers, ASPX web shells, and in-memory execution techniques to maintain persistence, exfiltrate sensitive data, and evade detection. NET-STAR is specifically designed to compromise Microsoft IIS web servers, operating almost entirely in memory, which minimizes forensic artifacts.
Technical Details
Attack Type: State-aligned cyber espionage using custom backdoors and web shells.
Severity: Critical.
Delivery Method: Exploitation of IIS web servers and deployment of malicious ASPX web shells.
Execution Method: Fileless, in-memory execution with web-shell-based persistence inside IIS.
Observed Tactics and Components:
Initial Access: IIS exploitation followed by installation of an ASPX web shell (e.g., OutlookEN.aspx).
Persistence: Fileless execution injected into w3wp.exe (IIS worker process).
Payloads:
IIServerCore: Modular, memory-resident backdoor enabling command execution and data collection.
AssemblyExecuter V1 / V2: .NET loaders that execute assemblies directly in memory. V2 introduces AMSI and ETW bypasses.
Data Collection: Execution of mssq.bat scripts to query and exfiltrate SQL data via the “sa” user.
Evasion: Use of manipulated timestamps in file attributes, Base64-encoded C2 traffic delimited by the keyword “STAR”, and compartmentalized infrastructure across shared nexus hosting.
Impact
Exfiltration of sensitive government and diplomatic communications, along with SQL databases.
Persistent, fileless backdoors granting long-term, covert access to mission-critical systems.
Compromise of administrative and service accounts from IIS and SQL servers.
Broader implications for national security, telecom networks, and diplomatic confidentiality.
Cross-regional targeting indicates strategic intelligence-collection objectives beyond a single-region focus.
Detection Method
Organizations should monitor for indicators of in-memory IIS compromise and abnormal .NET behavior:
Inspect IIS logs for suspicious uploads of ASPX web shells (OutlookEN.aspx or similar).
Monitor w3wp.exe (IIS worker) for anomalous memory-loaded assemblies or reflective DLL execution.
Detect batch-script activity (mssq.bat) interacting with SQL servers.
Review file attributes for manipulated file timestamps or altered compilation timestamps.
Enable EDR/XDR analytics for fileless execution, .NET reflection, and AMSI bypass attempts.
Analyze outbound traffic for Base64 payloads containing “STAR” markers.
Auditing scheduled tasks is best practice as a general persistent-threat check, though current reporting doesn’t note persistence in this way.
Indicators of Compromise
Type | Indicator | Description |
File Name | OutlookEN.aspx
| Malicious web shell |
File Name |
mssq.bat | SQL exfiltration script |
Malware Component | IIServerCore | A malicious IIS module |
Malware Component | AssemblyExecuter V1 / V2
| Tools that run .NET assemblies directly in memory |
Path | C:\Users\Administrator\Desktop\tmp\NETstar shard\ServerCore\obj\Release\ServerCore.pdb | Debug file paths embedded in binaries |
Path | C:\Users\admin\Desktop\starshard\NETstar shard\ExecuteAssembly\obj\Debug\ExecuteAssembly.pdb | “ |
MD5 (OffSeq/OTX) | 0867745cbc4568e97d050b905a4caa0b | Associated with NET-STAR binaries |
MD5 (OffSeq/OTX) | 5b458c03029de4833dd1f0c10ff66633 | “ |
MD5 (OffSeq/OTX) | 9b71ae4ce0a9560840ee734e88d22db5 | “ |
SHA1 (OffSeq/OTX) | 16b7f439f516cd0ff3ae6945331e1ba20a849aba | Associated with NET-STAR binaries |
SHA1 (OffSeq/OTX) | 51a4728ddfc67b8ec12d24475a4e50a5ed60dd84 | “ |
SHA1 (OffSeq/OTX) | fb3b2ce44dcecef37ef23fbfe3860e5674229f76 | “ |
SHA256 (Unit 42) | 3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4 | AssemblyExecuter V1 (ExecuteAssembly.dll) |
SHA256 (Unit 42) | afcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e | AssemblyExecuter V2 (ExecuteAssembly.dll) |
SHA256 (Unit 42) | b76e243cf1886bd0e2357cbc7e1d2812c2c0ecc5068e61d681e0d5cff5b8e038 | AssemblyExecuter V2 (ExecuteAssembly.dll) |
SHA256 (Unit 42) | eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc | IIServerCore (ServerCore.dll) |
Recommendations
Restrict IIS exposure and ensure all hosts run current security patches.
Harden IIS environments using application allowlisting and strict script-execution policies.
Block C2 endpoints and domains associated with Phantom Taurus where threat-intel data is available.
Monitor w3wp.exe for in-memory .NET execution and reflective DLL loads.
Deploy EDR/XDR rules tuned for AMSI/ETW bypasses, PowerShell reflection, and fileless activity.
Hunt for altered file timestamps or anomalous binary timestamps.
Implement SQL monitoring to detect unexpected exports, especially via batch scripts.
Conduct proactive threat hunts for indicators tied to the NET-STAR suite and related APT tooling.
Conclusion
“Phantom Taurus” is a sophisticated group of hackers using the NET-STAR malware suite to infiltrate IIS servers and conduct long-term espionage. Its fileless, in-memory architecture, AMSI bypasses, and stealthy C2 patterns make detection difficult even in environments with strong defenses. We urge organizations managing IIS-based applications or diplomatic infrastructure to prioritize defense in depth. Combining patch hygiene, behavioral detection, and continuous threat hunting is essential in order to mitigate risks associated with this evolving espionage threat.