Tonto Team

Threat Actor updated a month ago (2024-11-29T13:41:51.355Z)
Download STIX
Preview STIX
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russia, South Korea, and more recently, India. The use of the ShadowPad backdoor, which is now part of Tonto Team's arsenal, has been identified in other China-nexus clusters such as Tick. Furthermore, the group has been linked to the ReVBShell malware, an association also shared with Tick, as confirmed by the AhnLab Security Emergency Response Center (ASEC) in April 2023. The Tonto Team has been involved in several significant cyber-espionage operations. For instance, amid the Russo-Ukrainian conflict, the group launched a campaign against Russian agencies in July 2022. Notably, following border clashes between India and China, the team targeted four regional despatch centers responsible for operating India's power grid, as revealed by Recorded Future's Insikt Group. Additionally, they have used the RoyalRoad exploit builder, a tool primarily utilized by Chinese APT groups, to weaponize decoy RTF documents for spear-phishing operations, according to threat intelligence firm Group-IB. The Tonto Team's activities extend beyond mere cyber-espionage. Unclassified analysis by the U.S.-China Economic and Security Review Commission suggests that Tonto Team may be a unit of the People's Liberation Army. This connection was highlighted following reported hacks in 2017 against several South Korean entities involved in deploying an American-made anti-ballistic missile defense system. As such, the Tonto Team poses a significant cybersecurity threat, particularly to geopolitical rivals of China.
Description last updated: 2024-05-04T17:36:41.911Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CactusPete is a possible alias for Tonto Team. CactusPete, also known as Tonto Team, is a Chinese-speaking cyber-espionage group that has been active since at least 2012. Characterized by medium-level technical capabilities, CactusPete has demonstrated a significant development pace, producing more than 20 samples per month. The group primarily
2
Tick is a possible alias for Tonto Team. Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and Counte
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Phishing
Backdoor
Exploit
Decoy
State Sponso...
Espionage
Chinese
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bisonal Malware is associated with Tonto Team. Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file execUnspecified
2
Source Document References
Information about the Tonto Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
5 months ago
CERT-EU
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
2 years ago
BankInfoSecurity
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
BankInfoSecurity
2 years ago
CERT-EU
2 years ago