Tonto Team

Threat Actor updated 7 months ago (2024-05-04T20:32:02.027Z)

Download STIX

Preview STIX

Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russia, South Korea, and more recently, India. The use of the ShadowPad backdoor, which is now part of Tonto Team's arsenal, has been identified in other China-nexus clusters such as Tick. Furthermore, the group has been linked to the ReVBShell malware, an association also shared with Tick, as confirmed by the AhnLab Security Emergency Response Center (ASEC) in April 2023. The Tonto Team has been involved in several significant cyber-espionage operations. For instance, amid the Russo-Ukrainian conflict, the group launched a campaign against Russian agencies in July 2022. Notably, following border clashes between India and China, the team targeted four regional despatch centers responsible for operating India's power grid, as revealed by Recorded Future's Insikt Group. Additionally, they have used the RoyalRoad exploit builder, a tool primarily utilized by Chinese APT groups, to weaponize decoy RTF documents for spear-phishing operations, according to threat intelligence firm Group-IB. The Tonto Team's activities extend beyond mere cyber-espionage. Unclassified analysis by the U.S.-China Economic and Security Review Commission suggests that Tonto Team may be a unit of the People's Liberation Army. This connection was highlighted following reported hacks in 2017 against several South Korean entities involved in deploying an American-made anti-ballistic missile defense system. As such, the Tonto Team poses a significant cybersecurity threat, particularly to geopolitical rivals of China.

Description last updated: 2024-05-04T17:36:41.911Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CactusPete is a possible alias for Tonto Team. CactusPete, also known as Tonto Team, is a Chinese-speaking cyber-espionage group that has been active since at least 2012. Characterized by medium-level technical capabilities, CactusPete has demonstrated a significant development pace, producing more than 20 samples per month. The group primarily	2
Tick is a possible alias for Tonto Team. Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and Counte	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Phishing

Backdoor

Exploit

Decoy

State Sponso...

Espionage

Chinese

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Bisonal Malware is associated with Tonto Team. Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file exec	Unspecified	2

Source Document References

Information about the Tonto Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	4 months ago	China-linked APT41 breached Taiwanese research institute
CERT-EU	10 months ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
MITRE	a year ago	Woody RAT: A new feature-rich malware spotted in the wild
CERT-EU	a year ago	Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
CERT-EU	a year ago	Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
BankInfoSecurity	a year ago	Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU	a year ago	Chinese Hackers Targeted G7 Summit Through MS Office Flaw
BankInfoSecurity	a year ago	Chinese Hackers Targeted G7 Summit Through MS Office Flaw
MITRE	2 years ago	Bisonal: 10 years of play
MITRE	2 years ago	Exchange servers under siege from at least 10 APT groups \| WeLiveSecurity
MITRE	2 years ago	CactusPete APT group’s updated Bisonal backdoor
MITRE	2 years ago	Researchers claim China trying to hack South Korea missile defense efforts
CERT-EU	2 years ago	Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT
BankInfoSecurity	2 years ago	Chinese Threat Group Leaks Hacking Secrets in Failed Attack
CERT-EU	2 years ago	Cyber security week in review: April 28, 2023