{ "id": "7e918dea-2c80-4d9e-94ce-48a077e4ab03", "created_at": "2026-04-06T00:21:06.706192Z", "updated_at": "2026-04-10T03:31:44.445396Z", "deleted_at": null, "sha1_hash": "305f12974ae080737a6d99085bbcf5415fab00c4", "title": "CactusPete APT group’s updated Bisonal backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113502, "plain_text": "CactusPete APT group’s updated Bisonal backdoor\r\nBy Konstantin Zykov\r\nPublished: 2020-08-13 · Archived: 2026-04-05 13:56:09 UTC\r\nCactusPete (also known as Karma Panda or Tonto Team) is an APT group that has been publicly known since at least\r\n2013. Some of the group’s activities have been previously described in public by multiple sources. We have been\r\ninvestigating and privately reporting on this group’s activity for years as well. Historically, their activity has been\r\nfocused on military, diplomatic and infrastructure targets in Asia and Eastern Europe.\r\nThis is also true of the group’s latest activities.\r\nA new CactusPete campaign, spotted at the end of February 2020 by Kaspersky, shows that the group’s favored types of\r\ntarget remain the same. The victims of the new variant of the Bisonal backdoor, according to our telemetry, were from\r\nfinancial and military sectors located in Eastern Europe. Our research started from only one sample, but by using the\r\nKaspersky Threat Attribution Engine (KTAE) we found 300+ almost identical samples. All of them appeared between\r\nMarch 2019 and April 2020. This underlines the speed of CactusPete’s development – more than 20 samples per month.\r\nThe target location forced the group to use a hardcoded Cyrillic codepage during string manipulations. This is important,\r\nfor example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands.\r\nThe method of malware distribution for the new campaign remains unknown, but previous campaigns indicate that it’s\r\ntheir usual way of distributing malware. The attackers’ preferred way to deliver malware is spear-phishing messages\r\nwith “magic” attachments. The attachments never contain zero-day exploits, but they do include recently discovered and\r\npatched vulnerabilities, or any other crafty approaches that might help them deliver the payload. Running these\r\nattachments leads to infection.\r\nOnce the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the\r\nsample. As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to\r\nmatch the HTTP specification.\r\nhttp://C2_DOMAIN_IP/chapter1/user.html/BASE64_RC4_ENCRYPTED_BODY\r\nThe handshake consists of several steps: initial request, victim network details and a more detailed victim information\r\nrequest. This is the complete list of victim specific information that is sent to the C2 during the handshake steps:\r\nHostname, IP and MAC address;\r\nWindows version;\r\nTime set on infected host;\r\nFlags that indicates if the malware was executed on VMware environment;\r\nProxy usage flag;\r\nSystem default CodePage Identifier;\r\nhttps://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/\r\nPage 1 of 4\n\nAfter the handshake has been completed, the backdoor waits for a command, periodically pinging the C2 server. The\r\nresponse body from the C2 ping might hold the command and parameters (optionally). The updated Bisonal backdoor\r\nversion maintains functionality similar to past backdoors built from the same codebase:\r\nExecute a remote shell;\r\nSilently start a program on a victim host;\r\nRetrieve a list of processes from the victim host;\r\nTerminate any process;\r\nUpload/Download/Delete files to/from victim host;\r\nRetrieve a list of available drives from the victim host;\r\nRetrieve a filelist of a specified folder from the victim host;\r\nThis is what it looks like in code.\r\n Screenshot of the C2 command handling subroutine\r\nThis set of remote commands helps the attackers study the victim environment for lateral movement and deeper access\r\nto the target organization. The group continues to push various custom Mimikatz variants and keyloggers for credential\r\nharvesting purposes, along with privilege escalation malware.\r\nWhat are they looking for?\r\nSince the malware contains mostly information gathering functionality, most likely they hack into organizations to gain\r\naccess to the victims’ sensitive data. If we recall that CactusPete targets military, diplomatic and infrastructure\r\norganizations, the information could be very sensitive indeed.\r\nWe would suggest the following countermeasures to prevent such threats:\r\nNetwork monitoring, including unusual behavior detection;\r\nUp-to-date software to prevent exploitation of vulnerabilities;\r\nUp-to-date antivirus solutions;\r\nTraining employees to recognize email-based (social engineering) attacks;\r\nCactusPete activity\r\nhttps://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/\r\nPage 2 of 4\n\nCactusPete is a Chinese-speaking cyber-espionage APT group that uses medium-level technical capabilities, and the\r\npeople behind it have upped their game. They appear to have received support and have access to more complex code\r\nlike ShadowPad, which CactusPete deployed in 2020. The group’s activity has been recorded since at least 2013,\r\nalthough Korean public resources mark an even earlier date – 2009. Historically, CactusPete targets organizations within\r\na limited range of countries – South Korea, Japan, the US and Taiwan. Last year’s campaigns show that the group has\r\nshifted towards other Asian and Eastern European organizations.\r\nHere’s an overview of CactusPete activity in recent years, based on Kaspersky research results:\r\nMay 2018: a new wave of targeted attacks abusing CVE-2018-8174 (this exploit has been associated with the\r\nDarkHotel APT group, as described on Securelist), with diplomatic, defense, manufacturing, military and\r\ngovernment targets in Asia and Eastern Europe;\r\nDecember 2018 and early 2019: Bisonal backdoor modification with a set of spying payloads in a campaign\r\ntargeting organizations within mining, defense, government and technology research targets in Eastern Europe\r\nand Asia;\r\nSeptember and October 2019: a DoubleT backdoor campaign, targeting military-related and unknown victims;\r\nMarch 2019 to April 2020: Bisonal backdoor modification in a campaign targeting organizations in financial and\r\nmilitary institutions in Eastern Europe;\r\nDecember 2019 to April 2020: a modified DoubleT backdoor campaign, targeting telecom and governmental\r\norganizations and other victims in Asia and Eastern Europe;\r\nLate 2019 and 2020: CactusPete started to deploy ShadowPad malware with victims including government\r\norganizations, energy, mining, and defense bodies and telcoms located in Asia and Eastern Europe;\r\nKnown alternative names for this APT group:\r\nCactusPete, Karma Panda, Tonto Team\r\nKnown alternative names for the different payloads used:\r\nBisonal, Curious Korlia, DoubleT, DOUBLEPIPE, CALMTHORNE\r\nIn the end…\r\nWe call CatusPete an Advanced Persistent Threat (APT) group, but the Bisonal code we analyzed is not that advanced.\r\nYet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without\r\ncomplicated obfuscation and spear-phishing messages with “magic” attachments as the preferred method of distribution.\r\nOf course, the group does continuously modify the payload code, studies the suggested victim in order to craft a\r\ntrustworthy phishing email, sends it to an existing email address in the targeted company and makes use of new\r\nvulnerabilities and other methods to inconspicuously deliver the payload once an attachment has been opened. The\r\ninfection occurs, not because of advanced technologies used during the attack, but because of those who view the\r\nphishing emails and open the attachments. Companies need to conduct spear-phishing awareness training for employees\r\nin order to improve their computer security knowledge.\r\nIoCs\r\nPDB path:\r\nE:\\vs2010\\new big!\\MyServe\\Debug\\MyServe.pdb\r\nhttps://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/\r\nPage 3 of 4\n\nMD5:\r\nA3F6818CE791A836F54708F5FB9935F3\r\n3E431E5CF4DA9CAE83C467BC1AE818A0\r\n11B8016045A861BE0518C9C398A79573\r\nRelated material:\r\nJanuary 29, 2020\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nMarch 5, 2020\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\n2019\r\nhttps://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-\r\nachievement-unlocked.pdf\r\nJuly 31, 2018\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\n2017\r\nhttps://image.ahnlab.com/file_upload/asecissue_files/ASEC_REPORT_vol.88.pdf (Korean language)\r\n2014\r\nhttps://securitykitten.github.io/2014/11/25/curious-korlia.html\r\n2013\r\nhttps://web.archive.org/web/20130920120931/https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf\r\nSource: https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/\r\nhttps://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "references": [ "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" ], "report_names": [ "97962" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434866, "ts_updated_at": 1775791904, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/305f12974ae080737a6d99085bbcf5415fab00c4.pdf", "text": "https://archive.orkl.eu/305f12974ae080737a6d99085bbcf5415fab00c4.txt", "img": "https://archive.orkl.eu/305f12974ae080737a6d99085bbcf5415fab00c4.jpg" } }