CactusPete

CactusPete, also known as Tonto Team, is a Chinese-speaking cyber-espionage group that has been active since at least 2012. Characterized by medium-level technical capabilities, CactusPete has demonstrated a significant development pace, producing more than 20 samples per month. The group primarily targets organizations within a limited range of countries, including South Korea, Japan, the US, and Taiwan. Interestingly, despite its non-sophisticated techniques, such as using plain code without complicated obfuscation and spear-phishing messages with "magic" attachments for distribution, the group has had considerable success in its activities. On March 3, 2021, CactusPete compromised the email servers of a procurement company and a consulting firm specialized in software development and cybersecurity, both based in Eastern Europe. Moreover, throughout late 2019 and 2020, CactusPete began deploying ShadowPad malware, victimizing government organizations, energy, mining, defense bodies, and telecoms located in Asia and Eastern Europe. This reflects the group's offensive activity against the Russian defense industry and Mongolian government, which appears to be mostly delineated from its Russian-Mongolian commercial and border relationships. Like other Advanced Persistent Threat (APT) actors such as TwoSail Junk, FunnyDream, DarkHotel, and others, CactusPete continues to exploit software vulnerabilities. It's clear from their activities that geo-politics is an important driver of APT activity. Despite the lack of advanced techniques, CactusPete's success underscores the potential threat posed by even medium-capability groups, highlighting the need for robust cybersecurity measures across all sectors and regions.