An elusive, persistent, newly confirmed China espionage group has hit almost 10 victims of geopolitical importance in the Middle East, Africa and Asia using specific tactics and extreme stealth to avoid detection, according to Palo Alto Networks’ Unit 42. 

Phantom Taurus uses tools and a distinct homegrown set of malware and backdoors that sets them apart from other China threat groups, said Assaf Dahan, who’s led an investigation into the group since 2022 as director of threat research at Palo Alto Networks’ Cortex unit. 

The discovery of an undocumented threat group conducting long-term intelligence-gathering operations aligned with Beijing’s interests underscores the spread of China’s offensive espionage operations globally. Roughly 3 in 4 nation-state threats originate from or are operating on behalf of the Chinese government’s interests, Dahan told CyberScoop.

Unit 42 did not name Phantom Taurus’ victims but said the group has infiltrated networks operated by ministries of foreign affairs, embassies, diplomats and telecom networks to steal sensitive and timely data around major summits between government leaders or political and economic events.

Phantom Taurus seeks sustained access to highly targeted networks so it can periodically and opportunistically steal data they want at any time. Unit 42 researchers responded to one case involving access going back almost two years, Dahan said. 

The threat group remains active and has expanded its scope over time by targeting more organizations. “The latest activity was just a couple of months ago when we saw them highly active in at least two regions of the world,” Dahan said.

Unit 42 expects more victims to be identified as a result of its report, which includes details about the group’s specialized malware, indicators of compromise and tactics, techniques and procedures. 

Phantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors. These backdoors support in-memory execution of command-line arguments, arbitrary commands and payloads, and the loading and execution of .NET payloads with evasive capabilities designed to avoid detection in more heavily monitored environments, according to Unit 42.

“These pieces of malware are designed for extreme stealth, allowing them to operate clandestinely, under the radar, and infiltrate into really sensitive organizations,” Dahan said. While Phantom Taurus uses some infrastructure and tools that are commonly shared among multiple Chinese espionage groups, Unit 42 isn’t aware of any other groups using the suite of specialized malware.

The group most often breaks into networks by locating internet-facing devices that can be exploited via known vulnerabilities, Dahan said. “The level of sophistication that we’ve seen from this group is really off the charts. But when it comes to how they actually put a foot in the door, it’s as basic as exploiting an unpatched server most of the time,” he added.

Phantom Taurus’ tools, capabilities, targets and other fingerprints left behind by its activities gives Unit 42 confidence the group is unique and does not overlap with a group previously identified by other research firms. 

“Their entire playbook seems distinct and quite apart from other Chinese threat actors,” Dahan said. “It’s not something that you can mistake for another group.”

The post Palo Alto Networks spots new China espionage group showcasing advanced skills appeared first on CyberScoop.

Authorities arrested 260 cybercrime suspects during a two-week operation spanning 14 African countries, Interpol announced Friday. The globally coordinated summertime crackdown dubbed “Operation Contender 3.0” targeted criminal networks that facilitated romance scams and sextortion, officials said. 

Interpol said total losses attributed to the scam syndicates amounted to about $2.8 million, involving almost 1,500 victims. Authorities seized USB drives, SIM cards, forged documents and dismantled 81 cybercrime infrastructure networks across the continent.

“Cybercrime units across Africa are reporting a sharp rise in digital-enabled crimes such as sextortion and romance scams,” Cyril Gout, acting executive director of police services at Interpol, said in a statement. “The growth of online platforms has opened new opportunities for criminal networks to exploit victims, causing both financial loss and psychological harm.”

Authorities in Ghana arrested 68 people, seized 835 devices and identified 108 victims who lost a combined $450,000, $70,000 of which was recovered. The suspects allegedly used fake profiles, forged identities and stolen images to deceive victims using multiple schemes, including fake courier and customs shipment fees, and sextortion for blackmail.

Police in Senegal arrested 22 suspects who allegedly defrauded 120 victims on social media and dating platforms of about $34,000 combined. 

In Cote d’Ivoire, police arrested 24 suspects and identified 809 victims who were allegedly manipulated to share intimate images before they were blackmailed. Angola authorities arrested eight people for allegedly scamming 28 domestic and international victims via social media. 

Group-IB and Trend Micro assisted in the investigation, and other countries participating in the effort included Benin, Burkina Faso, Gambia, Guinea, Kenya, Nigeria, Rwanda, South Africa, Uganda and Zambia.

“By working closely with our member countries and private sector partners, we remain committed to disrupting and dismantling the groups that prey on vulnerable individuals online,” Gout said.

Operation Contender 3.0 occurred, in part, during a much larger Interpol cybercrime crackdown in Africa that resulted in the arrest of 1,209 alleged cybercriminals. Authorities said financial losses attributed to cybercrime rings disrupted during Operation Serengeti 2.0 neared $485 million from almost 88,000 victims.

The post Interpol operation disrupts romance scam and sextortion networks in Africa appeared first on CyberScoop.

A globally coordinated operation involving support from 18 countries in Africa, the United Kingdom and nine security organizations resulted in the arrest of 1,209 alleged cybercriminals, Interpol said Friday.

Authorities said they recovered $97.4 million and dismantled 11,432 pieces of malicious infrastructure between June and August. Financial losses attributed to the crimes allegedly committed by people involved in this widespread string of ransomware, online scams and business email compromise neared $485 million, officials said.

Operation Serengeti 2.0 identified 87,858 victims from multiple criminal syndicates and operations spanning Africa. Authorities in Zambia took down an online investment fraud scheme that impacted at least 65,000 victims who lost an estimated $300 million combined.

In Angola, authorities dismantled 25 cryptocurrency mining centers where 60 Chinese nationals were allegedly validating blockchain transactions to generate cryptocurrency. Officials said they confiscated 45 illegal power stations, mining and IT equipment valued at more than $37 million, which the government has earmarked to support power distribution in vulnerable areas. 

TRM Labs, one of the private organizations that supported the crackdown, shared details about ransomware-related operations impacted by the law enforcement action.

“In Ghana, investigators pursued leads tied to the Bl00dy ransomware group, a Conti spin-off that has targeted education, healthcare, and public sector victims. Analysis suggested elements of Bl00dy’s laundering infrastructure were active in the country,” the company said in a LinkedIn post. 

Investigators in Seychelles acted on intelligence connected to RansomHub, broadening the range of targets and dismantling additional infrastructure, TRM Labs added.

Interpol said Operation Serengeti 2.0 also disrupted a suspected human trafficking network in Zambia and a transnational inheritance scam in Côte d’Ivoire that caused about $1.6 million in losses. 

“Each Interpol-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of Interpol, said in a statement. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.”

Countries involved in the crackdown include: Angola, Benin, Cameroon, Chad, Côte d’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro and Uppsala Security also aided the investigation.

The post Interpol-led crackdown disrupts cybercrime networks in Africa that caused $485 million in losses appeared first on CyberScoop.