In recent years, groups involved in Advanced Persistent Threats (APTs) have changed their tactics, shifting focus from email servers to targeting corporate databases. According to a report by Palo Alto Networks, a cybersecurity leader, an increasing number of malicious actors are adopting this strategy, recently identified in a new group called Phantom Taurus, linked to cyberespionage activities.
This tactical shift allows them to collect large volumes of structured information — such as financial histories, customer lists, or internal records — in a quicker and more covert manner, without relying on phishing campaigns or access to corporate email accounts.
The reasons for this evolution are clear. On one hand, improvements in email security, such as multi-factor authentication, anti-phishing filters, and employee training, have made it more difficult to compromise this channel. On the other hand, corporate databases tend to be less protected or monitored, as they often do not play a central role in cybersecurity strategies, making them prime targets for more sophisticated attackers.
Phantom Taurus: from Inbox to Database Server
The recent case of Phantom Taurus clearly illustrates this emerging trend. Identified by Palo Alto Networks’ Unit 42 threat intelligence team, Phantom Taurus is a Chinese-linked APT cyberespionage group that has operated covertly for at least two and a half years. Its targets include government agencies, embassies, military institutions, and telecommunications companies across Africa, the Middle East, and Asia, aiming to obtain strategic information of geopolitical and economic interest.
Between 2023 and 2024, Phantom Taurus focused its attacks on Exchange email servers, deploying malware such as TunnelSpecter and SweetSpecter to exfiltrate entire mailboxes in search of sensitive keywords. In early 2025, Palo Alto Networks detected a tactical shift: the group began using an automated script, mssq.bat, to connect to Microsoft SQL Server databases with stolen administrator credentials, execute specific queries, and extract information into CSV files. The operation was performed remotely and automatically via WMI (Windows Management Instrumentation), with traces erased after each session. This marks a significant evolution from their previous email-focused campaigns toward precise interrogation directly within databases.
Furthermore, this transition has been accompanied by other signs of sophistication. According to Unit 42, the group developed NET-STAR, a .NET malware suite designed to infiltrate IIS web servers and operate without files on disk, executing code and queries directly in memory. Along with modules like IIServerCore and AssemblyExecuter, this tool allows them to evade modern defenses and maintain persistence on compromised systems.
Securing the “Crown Jewels”: an Urgent Necessity
While Phantom Taurus is a recent and revealing example, it is not an isolated case. Numerous cybersecurity industry reports have been warning of similar tactics by other APT actors. Winnti, another high-profile cyberespionage group linked to China, previously developed a special backdoor for Microsoft SQL Server called “skip-2.0”.
This shift in APT tactics is a wake-up call for all organizations. Security cannot be solely focused on protecting the perimeter and email; it is imperative to strengthen defenses where sensitive information resides. Palo Alto Networks recommends:
- Enforcing strict access controls on databases, with strong passwords and proper management of administrative accounts.
- Actively monitoring queries and unusual activity within systems to detect anomalous access or execution.
- Keeping databases updated with the latest security patches to fix exploitable vulnerabilities.
- Segmenting internal networks to prevent an attacker from moving easily from a compromised server to database servers.
- Prioritizing early detection with solutions capable of identifying anomalous behaviors, such as Advanced Threat Prevention, which detects exploits in real-time using machine learning, and platforms like Cortex XDR and XSIAM, which can identify and block this type of attack chain.