{ "id": "98b61216-41f2-4d3a-94fd-03b91945f57c", "created_at": "2026-04-06T00:21:17.410679Z", "updated_at": "2026-04-10T03:33:18.441088Z", "deleted_at": null, "sha1_hash": "28a7d555a18167dc93e70973fbfb7cd4ef6f3a45", "title": "Nice Try Tonto Team | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 169702, "plain_text": "Anastasia Tikhonova\r\nGlobal Threat Research Lead\r\nNice Try Tonto Team\r\nHow a nation-state APT attempted to attack Group-IB\r\nFebruary 13, 2023 · min to read · Advanced Persistent Threats\r\n← Blog\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 1 of 34\n\nAPT China Hacker group Threat Intelligence\r\nIn 2023, IT and cybersecurity companies remain one of the most attractive targets for\r\ncybercriminals, according to the latest threat report “Hi-Tech Crime Trends 2022/2023”. The\r\ncompromise of a vendor’s infrastructure opens up ample opportunities to penetrate the network\r\nfurther and gain access to a huge pool of data about the victim’s customers and partners.\r\nRemember how the SolarWinds attack put Microsoft, Cisco, FireEye, Mimecast, and 18,000 other\r\ncompanies at risk?\r\nIn light of the military conflict, nation-state threat actors from around the world, including from\r\ncountries that are not directly involved in the crisis, are actively carrying out cyber espionage\r\noperations.\r\nIn the summer of 2022, the Group-IB Managed Extended Detection and Response (MXDR)\r\nsolution successfully detected and blocked an email carrying a malicious attachment. This email was\r\nintended for Group-IB’s employees.While analyzing this attack, Anastasia Tikhonova, Head of APT\r\nResearch, and Dmitry Kupin, Senior Malware Analyst, at the Group-IB Threat Intelligence team\r\nfound patterns in the actions of the attackers and attributed the observed TTPs to Tonto Team. The\r\nresults of their research are worthy of a separate blog. These findings were presented at GovWare\r\n2022 in Singapore by Anastasia Tikhonova.\r\nAs always, we provide indicators of compromise associated with the Tonto Team campaign and\r\ndetailed analysis of the tools, techniques, and procedures (TTPs) of the threat actor in the MITRE\r\nATT\u0026CK format (Adversarial Tactics, Techniques \u0026 Common Knowledge). This information is useful\r\nfor organizations fighting cybercrime and information security professionals — chief information\r\nofficers, SOC analysts, and incident responders — in other sectors targeted by Tonto Team. Our\r\ngoal is to assist in the adoption of preventive measures against the Tonto Team attacks.\r\n®\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 2 of 34\n\nKey findings\r\nWho is Tonto Team?\r\nTonto Team (aka HeartBeat, Karma Panda, CactusPete,\r\nBronze Huntley, Earth Akhlut) is a cyber espionage threat\r\nactor that is believed to originate from China. The threat actor\r\nhas been targeting government, military, energy, financial,\r\neducational, healthcare, and technology sector companies\r\nsince 2009. Initially focusing on Asia Pacific (South\r\nKorea, Japan, Taiwan), and the United States, by 2020, the\r\ngroup had expanded its operations to Eastern Europe.\r\nIn June 2022, the Group-IB Managed XDR solution detected and blocked an attempt to\r\ndeliver a malicious email to Group-IB’s employees.\r\nThe attackers used phishing emails to deliver malicious Microsoft Office documents created\r\nwith the Royal Road Weaponizer, a tool widely used by Chinese nation-state threat actors.\r\nDuring the attack, Group-IB researchers noticed the use of the Bisonal.DoubleT backdoor.\r\nBisonal.DoubleT is a unique tool developed by the Tonto Team APT.\r\nThe attackers used a new downloader that Group-IB analysts named TontoTeam.Downloader\r\n(aka QuickMute).\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 3 of 34\n\nNation state apt it all started with an email…\r\nOn the evening of June 20, 2022, Group-IB Managed XDR triggered an alert and blocked malicious\r\nemails that were sent to two Group-IB employees:\r\nScreenshots of alerts in Group-IB Managed XDR (Subject of the letter: State cloud issues in terms\r\nof information security. Meeting protocol)\r\nThe threat actors posed as an employee of a legitimate company and used a fake mail created with\r\nGMX Mail (Global Message eXchange), a free email service. The targeted phishing emails were\r\nsupposed to be the first stage of an attack.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 4 of 34\n\nAnalysis of the malicious document\r\nThe file “17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc” was attached to the email:\r\nThe analyzed file is a malicious document in a Rich Text Format (RTF) that was created via the Royal\r\nRoad RTF Weaponizer. The weaponizer is mainly used by Chinese APT groups. The tool allows\r\nthe threat actor to create malicious RTF exploits with plausible decoy content for CVE-2017-11882,\r\nCVE-2018-0802, and CVE-2018-0798, which are the vulnerabilities in the Microsoft Equation\r\nEditor.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 5 of 34\n\nResearchers at Malwarebytes and SentinelOne have previously highlighted some of the indicators\r\nof compromise connected to RTF documents, but we would like to take a closer look into the kill\r\nchain.\r\nThe decoy document has the following metadata:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 6 of 34\n\nRunning the decoy, we found an encoded malicious payload dcnx18pwh.wmf\r\n(MD5:518439fc23cb0b4d21c7fd39484376ff):\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 7 of 34\n\nAnalysis of the decrypted payload\r\nThe decrypted payload was a malicious EXE file in PE32 format\r\n(MD5:e40c514739768ba04ab17ff0126c1533) that can be classified as a Bisonal.DoubleT backdoor.\r\nThis malware provides remote access to an infected computer and allows an attacker to execute\r\nvarious commands on it.\r\nWe conducted a static analysis of the Bisonal.DoubleT sample to compare it with an old version\r\ndetected in 2020 (MD5:c3d25232add0238d04864fc992e7a330) and found similar strings:\r\nIn addition, we conducted a dynamic comparison analysis of the sample obtained in 2022 with other\r\nsamples in the Bisonal.DoubleT malware family:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 8 of 34\n\nMD5 e40c514739768ba04ab17ff0126c1533 (sample 2022)\r\nc3d\r\n(sa\r\nURL hXXp://137.220.176[.]165/ru/order/index.php?strPageID=234989760\r\nhXX\r\nupd\r\nstrP\r\nUser-Agent\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/66.0.3359.181 Safari/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept-Language:\r\nru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7\\r\\nCookie:\r\nJSESSIONID=AHAKQAIOMIBQAAA3HEKQAAIAAAAAMAAAAAAQAAAAAEFA\r\nASSFKJJE6TCEFVIEGBQAJVUWO5LFNQFAASSFKJJE6TCEFVIEGAAAAIADEMQ=\r\nMo\r\nApp\r\nChr\r\nThe identical patterns of network requests are highlighted in red, and the generated ID is in blue.\r\nSample 2022 with MD5: e40c514739768ba04ab17ff0126c1533\r\nSample 2020 with MD5: c3d25232add0238d04864fc992e7a330\r\nIn the sample obtained in 2020, we have found traces of communication with the C2 server offices-update[.]com, which was also mentioned by IZ:SOC in connection with another Bisonal malware\r\nsample.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 9 of 34\n\nConnection to the C2 of the Bisonal sample from the IZ:SOC public report\r\nAs you can see from the table and the screenshot above, the network requests are very similar.\r\nThe main functionality of Bisonal.DoubleT:\r\nThe collected information about the compromised host is encoded using the Base32 algorithm.\r\nAll of the important strings are encoded using the following RC4 algorithm in a non-standard\r\nimplementation with a 128-byte S-box:\r\ncollecting information about the compromised host: system language encoding, proxy server\r\naddress, time since system boot, hostname, account name under which the file is running, and\r\nlocal IP address;\r\ngetting a list of processes;\r\nstopping a specified process;\r\ngetting remote access to cmd.exe;\r\ndownloading a file from the control server and running it;\r\ncreating a file on a disk using the local language encoding.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 10 of 34\n\nAfter decryption, the strings look like this:\r\nThe data transmitted in a POST request (sending the result of the command execution) is encrypted\r\nusing the same RC4 algorithm in a non-standard implementation with a 128-byte S-box to encrypt\r\nstrings in the malware’s body.\r\nBasic communication patterns between the threat actor’s C2 and Bisonal.DoubleT:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 11 of 34\n\nRequest Template Example\r\nHello –\r\nGET\r\nrequest\r\nhXXps://137[.]220[.]176[.]165/ru/order/index.php?strPageID=[ID],\r\nwhere ID is a decimal number\r\nhXXps://137[.]220[\r\nstrPageID=167880\r\nCommand\r\n– GET\r\nrequest\r\nhXXps://137[.]220[.]176[.]165/ru/news/index.php?strPageID=\r\n[ID]\u0026newsID=[YYYY-MM-DD-mmss]\r\nhXXps://137[.]220[\r\nstrPageID=167880\r\nResponse\r\n– POST\r\nrequest\r\nhXXps://137[.]220[.]176[.]165/xhome[.]native[.]page/datareader.php?\r\nsid=[ID]\r\nhXXps://137[.]220[\r\nsid=167880896\r\nDownload\r\n\u0026 Execute\r\n– GET\r\nrequest\r\nhXXps://137[.]220[.]176[.]165/siteFiles/index.php?strPageID=[ID]\r\nhXXps://137[.]220[\r\nstrPageID=167880\r\nAttribution\r\nThe set of files described above can be considered related to the cyberespionage group\r\nTonto Team. The Bisonal.DoubleT malware was previously attributed to this threat actor and has\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 12 of 34\n\nbeen used by the group since at least 2019.\r\nAnalysis of the network infrastructure showed the usage of the IP address (137[.]220[.]176[.]165),\r\nwhich had previously been seen in the Tonto Team attacks. The document was also created in the\r\nRoyal Road RTF Weaponizer.\r\nThus, there are several connections between the attempted attack against Group-IB and the Tonto\r\nTeam APT:\r\nMetadata in the decoy documents indicates that the operating system language of the\r\ndocument’s author was Simplified Chinese.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 13 of 34\n\nTherefore, Group-IB specialists assess with high confidence that this activity was carried out\r\nby the Tonto Team.\r\nWe’ve seen them before\r\nDuring the research, we wondered if it was not the first attempt of the Tonto Team to attack\r\nGroup-IB. To answer this question, we have studied the entire Group-IB Managed XDR database of\r\nneutralized malicious mailings and discovered that in the summer of 2021 the threat actor tried\r\nto attack Group-IB employees. The attempt was unsuccessful.\r\nThe screenshot below shows that on June 28, 2021, the Group-IB Managed XDR blocked an email\r\nsent to our employees. This email contained a file that we identified as malicious:\r\nDocuments are created in Royal Road, the well-known malicious document builder widely used\r\nby Chinese APT groups.\r\nMalicious documents are commonly used to deliver custom malware. Bisonal and its DoubleT\r\nversion are both existing for over 10 years with continuous development and are attributed to\r\nthe Tonto Team.\r\nIt was not the first time the Tonto Team has shown interest in the IT sector. In March 2021, the\r\ngroup hacked into the email servers of a purchasing company and a software development and\r\ncybersecurity consulting company based in Eastern Europe.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 14 of 34\n\nThe Group-IB malware detonation platform analyzed the malicious attachment, so we were\r\nable to see the following picture:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 15 of 34\n\nIs it really the same scheme?\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 16 of 34\n\nIn 2021, the threat actor used spearphishing as the initial attack vector and once again employed\r\nfake mail registered with the GMX Mail service.\r\nThe analyzed file “30 июня B 17.30 – очередное заседание Исполкома АДЭ.doc”\r\n(MD5:7c138c6b6f88643d7c16e741f98e0503) is a malicious RTF document that was created in the\r\nRoyal Road RTF Weaponizer, similar to the email attachment used in the 2022 attack on Group-IB.\r\nThe decoy has the following metadata:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 17 of 34\n\nMalicious encoded payload (8.t MD5: d5d0a1a034dcefdb08d9ca51c7694a22):\r\nAnalysis of the decrypted payload\r\nThe decrypted payload is a malicious PE32 format DLL file that can be classified as\r\nBisonal.Dropper. This malware is used to deploy the Bisonal backdoor on the victim’s system.\r\nCompiled Date: 06/28/2021 01:44:01 UTC (which is 9:44 Beijing time – the beginning of a workday\r\nin China)\r\nBisonal.Dropper creates a file “%AppData%\\Roaming\\conhost.exe” (Bisonal.DoubleT backdoor). It\r\nrecords random overlay data to “conhost.exe” to change the backdoor hash.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 18 of 34\n\nThe dropper also adds “conhost.exe” to the system startup by creating a registry key setting:\r\n[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] userInit = \"%AppData%\\Roaming\\conhost\r\nThe backdoor will run only after a system reboot. Bisonal.DoubleT may write the following error\r\nmessages to the log file “%windows%\\temp\\log.txt“:\r\n“[!] get pRegSetValueEx error\\n”\r\n“[!] get pGetProcAddress error\\n”\r\n“[!] get LoadLibraryA error\\n”\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 19 of 34\n\n“conhost.exe” (MD5: f53965ab81f746f5a2bf183d2a704c72) is a malicious EXE file in PE32 format\r\nthat can be classified as a Bisonal.DoubleT backdoor. Comparing this sample from 2021 with the\r\nsample from 2022, we haven’t found any difference in functionality and encryption algorithms.\r\nIn the 2021 sample, all important strings are also encoded using the RC4 algorithm in a non-standard implementation with a 128-byte S-box:\r\nAfter decryption, the strings look like this:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 20 of 34\n\nIn addition, we compared the decrypted strings of the 2022 and 2021 samples. The different strings\r\nof the 2022 sample are marked in red, and the strings of the 2021 sample are highlighted in yellow.\r\nBelow is the result of comparing the strings of the indicated Bisonal.DoubleT samples:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 21 of 34\n\nBasic communication patterns between C2 and Bisonal.DoubleT:\r\nRequest Template Example\r\nHello –\r\nGET\r\nrequest\r\nhXXps://103[.]85[.]20[.]194/ru/order/index.php?strPageID=[ID],\r\nwhere ID is a decimal number\r\nhXXps://103[.]85[.]2\r\nstrPageID=1678808\r\nCommand\r\n– GET\r\nrequest\r\nhXXps://103[.]85[.]20[.]194/ru/news/index.php?strPageID=\r\n[ID]\u0026newsID=[YYYY-MM-DD-mmss]\r\nhXXps://103[.]85[.]2\r\nstrPageID=1678808\r\nResponse\r\n– POST\r\nrequest\r\nhXXps://103[.]85[.]20[.]194/xhome[.]native[.]page/datareader.php?\r\nsid=[ID]\r\nhXXps://103[.]85[.]2\r\nsid=167880896\r\nDownload\r\n\u0026 Execute\r\n– GET\r\nrequest\r\nhXXps://103[.]85[.]20[.]194/siteFiles/index.php?strPageID=[ID]\r\nhXXps://103[.]85[.]2\r\nstrPageID=1678808\r\nSo, there’s nothing new at all?\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 22 of 34\n\nIn the 2022 attack, Tonto Team used a new downloader that Group-IB named\r\nTontoTeam.Downloader. It has also been called QuickMute in another public source.\r\nAs usual, the group used a malicious RTF document that was created in Royal Road —\r\nВниманию.doc (MD5: 8cdd56b2b4e1e901f7e728a984221d10).\r\nMalicious encoded payload:\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 23 of 34\n\nAnalysis of TontoTeam.Downloader\r\nThe decrypted payload is a malicious EXE file in PE32 format (MD5:\r\n66c46b76bb1a1e7ecdb091619a8f5089), which can be classified as a downloader. This file is used\r\nto download malware for the next stage of the attack, which is a DLL with the specified export\r\nfunction “HttpsVictimMain”.\r\nThe configuration data of the analyzed file is encrypted using RC4. The key is contained in the\r\nmalware body and is 256 bytes long.\r\nDecrypted configuration data:\r\nhttps!upportteam[.]lingrevelat[.]com$443$1111111111111111111111111111111111111111111111111\r\nParameter Value Description\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 24 of 34\n\nparam_1 https Network protocol type\r\nparam_2 upportteam[.]lingrevelat[.]com Domain name\r\nparam_3 443 Network port\r\nparam_4\r\n1111111111111111111111111111111111\r\n11111111111111111111111111111111111111111\r\n1111111111111111111111111111111111111\r\n11111111111111111111111111111111111111111111111111111111\r\nSetting the operating\r\ntime (malware works at\r\na certain time on\r\ncertain days of the\r\nweek)\r\nparam_5 {A931568B-94AF-449D-B7F6-6585EF9E9839} Mutex name\r\nparam_6 https-note-86\r\nUnknown, possibly\r\nmalware ID\r\nThe functionality of the TontoTeam.Downloader:\r\nNetwork request example:\r\nGET /update/v32/default HTTP/1.1\r\nCache-Control: no-cache\r\nMultithreading.\r\nPassing important strings (the name of the exported function, User-Agent, URL path, etc.)\r\nthrough the stack.\r\nUsing encryption algorithms: RC4, XOR.\r\nCreating a “Notepad” window with the “Wrap” class.\r\nCreating a mutex “{A931568B-94AF-449D-B7F6-6585EF9E9839}”.\r\nCreating a mutex “QuitMutex%d”, where %d is the PID of the currently running process\r\n(downloader). It is used to prevent the payload file from re-downloading and running.\r\nChecking the local time and comparing it with the value in param_4. If the value of the array of\r\nparam_4 by the index of the product of the hour and the day of the week (which are taken from\r\nthe local time on the victim’s computer) is not equal to 1, then the main functionality is not\r\nexecuted.\r\nDownloading a payload from hXXtps://upportteam[.]lingrevelat[.]com/update/v32/default, which\r\nis a malicious dynamic-link library (DLL) with the “HttpsVictimMain” exported function. DLL is\r\nencrypted with RC4 and XOR algorithms. The XOR algorithm decrypts data at offset 0x104 (260)\r\nbytes, which are pre-decrypted by RC4.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 25 of 34\n\nConnection: Keep-Alive\r\nPragma: no-cache\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHost: upportteam[.]lingrevelat[.]com\r\nAdvanced Persistent Threats – Conclusion\r\nGroup-IB experts have previously warned about threats from TaskMasters and TA428, other\r\nChinese nation-state cyber threat actors. Based on the conducted analysis, the company’s\r\nThreat Intelligence team concluded that Tonto Team is behind the 2021-2022 attempted attacks on\r\nGroup-IB.\r\nThe main goal of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto\r\nTeam will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver\r\nPossibly using system proxy settings or settings specified in configuration data.\r\nDecrypting downloaded data from a URL and checking if it is a PE32 file.\r\nLoading the next stage payload (the downloaded malicious DLL) to memory and calling the\r\n“HttpsVictimMain” exported function. The function is also used to transfer the following\r\nparameters: domain name, network port, RC4 key (is contained in the downloaded DLL), number\r\nof hours of days of the week, unknown parameter with the value “https-note-86” (maybe its\r\nBotID or CampaignID), proxy server, proxy network port, proxy user, proxy password.\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 26 of 34\n\nmalicious documents using vulnerabilities with decoys specially prepared for this purpose.\r\nSuccessful supply chain attacks against IT and cybersecurity companies give attackers access to a\r\nlarge number of victims’ customers and partners. Therefore, organizations in these sectors need to\r\nstay up to date with ever-evolving tools, tactics, and methods of threat actors and employ Group-IB\r\nManaged XDR for advanced threat detection and response. This solution proved its efficiency in\r\npreventing the alleged Tonto Team attack on the Group-IB’s employees.\r\nGroup-IB Managed XDR contains a whole range of advanced cybersecurity solutions to stop\r\ncomplex targeted attacks:\r\nLearn more about the solution in our blog post.\r\nGroup-IB will continue to research the methods, tools and tactics of Tonto Team and inform the\r\norganizations targeted by this pro-state group. We aspire to promptly inform the attacked\r\norganizations about the discovered malicious activity against them – it helps minimize the damage\r\nfrom threat actor’s actions. Additionally, we consider informing the cybersecurity community\r\nabout the discovered threats as a part of our mission and encourage other researchers to study\r\ncomplex threats together, share data and use our technologies to combat intruders.\r\nTry Group-IB Threat Intelligence now!\r\nOptimize strategic, operational and tactical decision-making with best-in-class cyber\r\nthreat analytics.\r\nEndpoint Detection \u0026 Response (EDR)\r\nNetwork Traffic Analysis (NTA)\r\nMalware Detonation Platform (MDP)\r\nBusiness Email Protection (BEP)\r\nThreat Intelligence (TI)\r\nManaged Services (MS)\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 27 of 34\n\nIoCs\r\nMITRE ATT\u0026CK\r\nRequest Threat Intelligence Demo right now!\r\nHash arrow_drop_down\r\nNetwork indicators arrow_drop_down\r\nUser-Agent arrow_drop_down\r\nMutexes arrow_drop_down\r\n®\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 28 of 34\n\nInitial Access arrow_drop_down\r\nExecution arrow_drop_down\r\nPersistence arrow_drop_down\r\nPrivilege Escalation arrow_drop_down\r\nDefense Evasion arrow_drop_down\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 29 of 34\n\nYARA rules\r\nimport \"pe\"\r\n \r\nrule apt_tontoteam__bisonal_doublet\r\n{\r\n meta:\r\nCredential Access arrow_drop_down\r\nDiscovery arrow_drop_down\r\nLateral Movement arrow_drop_down\r\nCollection arrow_drop_down\r\nCommand and Control arrow_drop_down\r\nExfiltration arrow_drop_down\r\nImpact arrow_drop_down\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 30 of 34\n\nauthor = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n description = \"Detects Bisonal.DoubleT samples\"\r\n date = \"2022-06-20\"\r\n hash = \"58c1cab2a56ae9713b057626953f8967c3bacbf2cda68ce104bbb4ece4e35650\"\r\n strings:\r\n $s0 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567=\" fullword ascii\r\n $s1 = \"{\\\"status\\\":\\\"success\\\"}\" fullword ascii\r\n $s2 = \"GetNativeSystemInfo\" fullword ascii\r\n $s3 = \"::Off\" fullword ascii\r\n $s4 = \"::On\" fullword ascii\r\n condition:\r\n all of ( $s* ) or pe.imphash ( ) == \"2edcf20dae8aede04f118ccf201f5bd2\" or pe.impha\r\n}\r\nrule apt_tontoteam__downloader\r\n{\r\n meta:\r\n author = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n description = \"Detects TontoTeam.Downloader samples\"\r\n date = \"2022-06-17\"\r\n hash = \"c357faf78d6fb1460bfcd2741d1e99a9f19cf6dffd6c09bda84a2f0928015398\"\r\n strings:\r\n $config_parse_str = \"%[^!]!%[^$]$%[^$]$%[^$]$%[^$]$%[^$]$%[^$]$%[^$]$%[^$]$%[^$]$%\r\n $s_file_description = \"Wrap Module\" fullword wide\r\n $s_mutex = \"QuitMutex%d\" fullword wide\r\n $s_window_name = \"Notepad\" fullword wide\r\n $s_window_class_name = \"Wrap\" fullword wide\r\n $rc4_key = { 38 05 87 0F 0C 6B 9F 2A 2B 1F F8 DA D2 6E 1E 42\r\n 8D 3D 07 5F 36 F9 91 21 FC 7D EB 8A 06 C7 66 3F\r\n 29 2F EF FB 78 B6 1B 7B 04 14 B2 30 98 D0 7F 8B\r\n BF EC 47 FE 94 5D A6 CF 15 44 FF AB C9 57 46 81\r\n 93 69 82 58 08 03 B5 68 25 83 1D 0A 1A 9E D6 48\r\n 2E 09 EA C1 02 0D 51 F2 6C 0B 4D E8 A9 32 5B AE\r\n B7 A7 C5 01 3A 8F 72 00 4E 76 DB 65 4A 23 70 BA\r\n 97 52 D7 D4 E2 8E 89 3B AC 9B 90 63 28 1C 39 A0\r\n 77 27 A5 0E EE D5 4C E7 41 B8 9A 17 B4 37 A4 F1\r\n A3 55 C4 B9 CD CC 88 D1 CB 18 22 4F 2D 8C E5 9D\r\n BB F5 35 60 FA 84 E0 73 13 C6 C2 79 B3 5E 71 26\r\n D9 F7 3C 2C F3 45 7A 43 10 4B CE E6 86 16 ED AD\r\n 12 BC DE 85 AF 19 A8 C8 E3 E9 31 F0 61 5A 99 75\r\n A2 E1 56 B0 D8 53 7C DD DF BE E4 80 C0 54 C3 74\r\n 7E 6D 20 49 64 67 B1 40 A1 95 D3 DC BD 24 9C FD\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 31 of 34\n\n3E 6F 5C 62 34 F4 6A 50 CA 92 AA 96 33 11 F6 59 }\r\n $protocols = { 00 74 00 63 00 70 00 00 00 75 00 64 00 70 00 00\r\n 00 68 00 74 00 74 00 70 00 00 00 00 00 68 00 74\r\n 00 74 00 70 00 73 00 00 00 25 00 73 00 3A 00 25\r\n 00 64 00 }\r\n condition:\r\n $config_parse_str or $rc4_key or $protocols or all of ( $s_* ) or pe.imphash ( ) =\r\n}\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 32 of 34\n\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 33 of 34\n\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/tonto-team/\r\nPage 34 of 34\n\n$s_window_name $s_window_class_name = \"Notepad\" = fullword \"Wrap\" fullword wide wide \n$rc4_key = { 38 05 87 0F 0C 6B 9F 2A 2B 1F F8 DA D2 6E 1E 42\n8D 3D 07 5F 36 F9 91 21 FC 7D EB 8A 06 C7 66 3F\n29 2F EF FB 78 B6 1B 7B 04 14 B2 30 98 D0 7F 8B\nBF EC 47 FE 94 5D A6 CF 15 44 FF AB C9 57 46 81\n93 69 82 58 08 03 B5 68 25 83 1D 0A 1A 9E D6 48\n2E 09 EA C1 02 0D 51 F2 6C 0B 4D E8 A9 32 5B AE\nB7 A7 C5 01 3A 8F 72 00 4E 76 DB 65 4A 23 70 BA\n97 52 D7 D4 E2 8E 89 3B AC 9B 90 63 28 1C 39 A0\n77 27 A5 0E EE D5 4C E7 41 B8 9A 17 B4 37 A4 F1\nA3 55 C4 B9 CD CC 88 D1 CB 18 22 4F 2D 8C E5 9D\nBB F5 35 60 FA 84 E0 73 13 C6 C2 79 B3 5E 71 26\nD9 F7 3C 2C F3 45 7A 43 10 4B CE E6 86 16 ED AD\n12 BC DE 85 AF 19 A8 C8 E3 E9 31 F0 61 5A 99 75\nA2 E1 56 B0 D8 53 7C DD DF BE E4 80 C0 54 C3 74\n7E 6D 20 49 64 67 B1 40 A1 95 D3 DC BD 24 9C FD\n Page 31 of 34", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.group-ib.com/blog/tonto-team/" ], "report_names": [ "tonto-team" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed4c7e37-461f-40f1-ad43-6ad7e21b32bc", "created_at": "2022-10-25T16:07:24.303712Z", "updated_at": "2026-04-10T02:00:04.929134Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [], "source_name": "ETDA:TaskMasters", "tools": [ "404-Input-shell web shell", "ASPXSpy", "ASPXTool", "AtNow", "DbxDump Utility", "HTran", "HUC Packet Transmit Tool", "Mimikatz", "NBTscan", "PortScan", "ProcDump", "PsExec", "PsList", "RemShell", "RemShell Downloader", "gsecdump", "jsp File browser", "nbtscan", "pwdump", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434877, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28a7d555a18167dc93e70973fbfb7cd4ef6f3a45.pdf", "text": "https://archive.orkl.eu/28a7d555a18167dc93e70973fbfb7cd4ef6f3a45.txt", "img": "https://archive.orkl.eu/28a7d555a18167dc93e70973fbfb7cd4ef6f3a45.jpg" } }