Tonto Team

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russia, South Korea, and more recently, India. The use of the ShadowPad backdoor, which is now part of Tonto Team's arsenal, has been identified in other China-nexus clusters such as Tick. Furthermore, the group has been linked to the ReVBShell malware, an association also shared with Tick, as confirmed by the AhnLab Security Emergency Response Center (ASEC) in April 2023. The Tonto Team has been involved in several significant cyber-espionage operations. For instance, amid the Russo-Ukrainian conflict, the group launched a campaign against Russian agencies in July 2022. Notably, following border clashes between India and China, the team targeted four regional despatch centers responsible for operating India's power grid, as revealed by Recorded Future's Insikt Group. Additionally, they have used the RoyalRoad exploit builder, a tool primarily utilized by Chinese APT groups, to weaponize decoy RTF documents for spear-phishing operations, according to threat intelligence firm Group-IB. The Tonto Team's activities extend beyond mere cyber-espionage. Unclassified analysis by the U.S.-China Economic and Security Review Commission suggests that Tonto Team may be a unit of the People's Liberation Army. This connection was highlighted following reported hacks in 2017 against several South Korean entities involved in deploying an American-made anti-ballistic missile defense system. As such, the Tonto Team poses a significant cybersecurity threat, particularly to geopolitical rivals of China.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tick
2
Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami
CactusPete
2
CactusPete, also known as Tonto Team, is a Chinese-speaking cyber-espionage group that has been active since at least 2012. Characterized by medium-level technical capabilities, CactusPete has demonstrated a significant development pace, producing more than 20 samples per month. The group primarily
Ta428
1
TA428 is a sophisticated malware toolkit associated with several cyber threat groups, including Bronze Union (also known as LuckyMouse or APT27) and BackdoorDiplomacy. The TA428 toolkit includes various malicious software like Albaniiutas (RemShell), which is specifically mentioned in an ESET report
KeyBoy
1
KeyBoy is a malicious software (malware) primarily linked to the cyber espionage group known as TA413, which has historically targeted Tibetan entities. The malware is designed with an array of functionalities that allow it to infiltrate and exploit computer systems, including screen grabbing, deter
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Exploit
Decoy
State Sponso...
Espionage
Chinese
Phishing
Backdoor
Korean
Government
Fireeye
Trojan
Rat
China
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BisonalUnspecified
2
Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file exec
KONNIUnspecified
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
ShadowPadUnspecified
1
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
BISCUITUnspecified
1
"Biscuit" is a sophisticated malware variant that was notably used in an attack campaign titled "Operation Bitter Biscuit". This operation was first reported by AhnLab in October 2017, targeting entities in South Korea, Japan, India, and Russia. The offensive made use of the Bisonal remote access tr
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Karma PandaUnspecified
1
Karma Panda, also known as CactusPete or Tonto Team, is an Advanced Persistent Threat (APT) group that has been active since at least 2013. This threat actor is a highly skilled and well-resourced group that primarily targets organizations in the United States, Europe, and Asia with a focus on gover
BITTERUnspecified
1
Bitter, also known as T-APT-17, is a suspected South Asian threat actor that has been involved in various cyber campaigns. The group has been active since at least August 2021, with its operations primarily targeting government personnel in Bangladesh through spear-phishing emails. The similarities
Operation Bitter BiscuitUnspecified
1
Operation Bitter Biscuit, as reported by AhnLab, was a malicious campaign executed by a threat actor known as the Tonto Team. This operation targeted entities in South Korea, Japan, India, and Russia, with the initial report being published in October 2017. The main tools used in this cyber-attack w
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Tonto Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
MITRE
7 months ago
Woody RAT: A new feature-rich malware spotted in the wild
CERT-EU
10 months ago
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
CERT-EU
10 months ago
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU
10 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
BankInfoSecurity
a year ago
Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU
a year ago
Chinese Hackers Targeted G7 Summit Through MS Office Flaw
BankInfoSecurity
a year ago
Chinese Hackers Targeted G7 Summit Through MS Office Flaw
MITRE
a year ago
Bisonal: 10 years of play
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
CactusPete APT group’s updated Bisonal backdoor
MITRE
a year ago
Researchers claim China trying to hack South Korea missile defense efforts
CERT-EU
a year ago
Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT
BankInfoSecurity
a year ago
Chinese Threat Group Leaks Hacking Secrets in Failed Attack
CERT-EU
a year ago
Cyber security week in review: April 28, 2023