New CCP-Backed Cyberespionage Group Targeting Diplomats, Embassies: Palo Alto Networks

Udumbara Udumbara
Oct 2, 2025 - 10:03 Updated: Oct 2, 2025 - 09:49
0
New CCP-Backed Cyberespionage Group Targeting Diplomats, Embassies: Palo Alto Networks

.

Cybersecurity firm Palo Alto Networks’ Unit 42 researchers have designated a new China-based cyberespionage group in a Sept. 30 report, shedding more light on Beijing’s global intelligence gathering operations.

The group, tracked as Phantom Taurus by United 42, was observed attempting to steal sensitive and classified information regarding diplomatic and economic missions, military operations, political meetings, governmental entities including foreign ministers, and high-ranking officials in the Middle East, Africa, and Asia.

The Chinese communist regime has substantial investments in these areas, largely as part of its Belt and Road Initiative (BRI). They include building out dual-use infrastructure, partnerships to allow for military drills, countering U.S. strategic aims, trade ties, and raw resources including rare earth minerals and timber.

Unit 42 has been tracking the group since 2022, and previously published reports about a cluster of activity they have now upgraded to a nation-state advanced persistent threat (APT).

The APT displayed a “tactical evolution” around the beginning of 2025, researchers said, moving from stealing specific emails and sensitive and classified information to targeting whole databases.

According to the researchers, this group is distinctly different from other publicized Chinese state-backed cyberactors, such as Salt Typhoon and Volt Typhoon.

What sets the new group apart from known APTs is its mission, “combined with its advanced operational practices,” according to the report.

The report says that Phantom Taurus primarily chooses high-value targets with government links, and that pattern aligns “consistently” with Beijing’s economic and geopolitical interests. The group also shares infrastructure with other known Chinese state-backed APTs.

“We observed that the group takes an interest in diplomatic communications, defense-related intelligence, and the operations of critical governmental ministries,” the report states.

“The timing and scope of the group’s operations frequently coincide with major global events and regional security affairs.”

Researchers say the group’s objective is espionage, and it has demonstrated stealth, persistence, and adaptability. The advanced techniques have allowed the hackers to “maintain long-term access to critical targets” like governmental entities and telecommunications sector networks.

Unit 42’s report outlined several common tools used by Phantom Taurus, including a new malware suite with three backdoors targeting internet-facing servers. As is customary with public reports revealing APT capabilities, no victims were named.

China has emerged as a top cyberthreat, according to U.S. officials, and other countries are increasingly in agreement.

An advisory released on Aug. 27 said 12 countries had joined U.S. cyber agencies to sound the alarm on a Chinese state-sponsored espionage system. The report revealed that Salt Typhoon had tracked the movements of officials globally through infiltration into telecommunications and hospitality sectors. Officials had previously confirmed that communications between targets had been stolen by these hackers, and that Salt Typhoon had affected hundreds of targets across dozens of countries.
.
Read More