{
	"id": "210b6f5c-f7ae-48a8-b322-20a447b287f2",
	"created_at": "2026-04-06T00:16:13.972472Z",
	"updated_at": "2026-04-10T03:31:44.353419Z",
	"deleted_at": null,
	"sha1_hash": "c255c064008a76ca6f08bb50c494daea3c8e61dd",
	"title": "Tonto Team Using Anti-Malware Related Files for DLL Side-Loading - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1452449,
	"plain_text": "Tonto Team Using Anti-Malware Related Files for DLL Side-Loading - ASEC\r\nBy ATCP\r\nPublished: 2023-04-18 · Archived: 2026-04-05 20:01:02 UTC\r\nThe Tonto Team is a threat group that targets mainly Asian countries, and has been distributing Bisonal malware.\r\nAhnLab Security Emergency response Center (ASEC) has been tracking the Tonto Team’s attacks on Korean\r\neducation, construction, diplomatic, and political institutions. Recent cases have revealed that the group is using a\r\nfile related to anti-malware products to ultimately execute their malicious attacks. \r\nThe Tonto Team’s involvement in the distribution of the CHM malware in Korea has been confirmed since 2021,\r\nand they have been changing their methods in various ways to bypass detection. The overall operation process of\r\nthe most recent method is shown in Figure 1. Although up to the point where ReVBShell is used to receive the\r\nthreat actor’s commands remains the same, the stages afterward, such as the malware type that is ultimately\r\ndownloaded and the operation process, have been gradually changing. Each process will be explained below. \r\nhttps://asec.ahnlab.com/en/51746/\r\nPage 1 of 4\n\nFigure 2 shows the malicious script that operates when the CHM is executed. The process of decompiling the\r\nCHM file is identical to the previous processes, but a difference is the fact that the normal program\r\n(PresentationSettings.exe) created after the decompiling is registered to the RUN key. The normal program\r\nregistered to the RUN key is executed when the PC is restarted. Once it is executed, it loads the malicious DLL\r\n(slc.dll) created simultaneously through the DLL Side Loading (T1574.002) method. \r\nFilename used in distribution\r\nMinistry of Unification Economic Cooperation\r\nCorporation Contacts_Ver2.1.chm\r\nName of normal program PresentationSettings.exe\r\nName of malicious DLL (DLL\r\nSide Loading)\r\nslc.dll\r\nThe loaded malicious DLL creates and executes a VBE file in the %TEMP% folder. The decoded VBE is the\r\nReVBShell. The C2 of this ReVBShell is shown below and it performs various malicious behaviors according to\r\nthe threat actor’s orders. The AhnLab Smart Defense (ASD) infrastructure was able to confirm the following\r\nmalicious behavior log. \r\nC2 hairouni.serveblog[.]net:8080\r\nFigure 3 is an additional log that was confirmed in April 2022, and its relevant information has been covered in\r\nthe below ASEC Blog. https://asec.ahnlab.com/en/34010/ Figure 4 shows an additional log that was generated on\r\na PC infected with the recently circulating CHM malware, making it clear that it has the same download URL\r\nformat as the April 2022 log since their download paths both lead to the same %SystemRoot%\\Task\\ folder. This\r\ndownload behavior is believed to be performed through ReVBShell under the command of the threat actor. \r\nhttps://asec.ahnlab.com/en/51746/\r\nPage 2 of 4\n\nDownload URL hxxps://92.38.135[.]212/fuat/HimTraylcon.exe (April 2022)\r\nhxxp://45.133.194[.]135:8080/fuat/KCaseAgent64.exe (April 2023)\r\nThe file downloaded in April 2022 was a backdoor, and the file downloaded this time was confirmed to be a\r\nnormal Avast Software configuration file (wsc_proxy.exe). \r\nThe entirety of wsc_proxy.exe’s features are shown in Figure 5, and it executes the “_run@4” function after\r\nloading wsc.dll. It is assumed that the threat actor uses this feature to load a malicious DLL using the DLL Side\r\nLoading method. \r\nAdditionally, a detection log was confirmed through our ASD infrastructure of a file named “wsc.dll” being\r\ncreated in the same path (%SystemRoot%\\Task\\) within an infected PC, as shown in Figure 6. Considering that\r\nnormal Avast Software files are generally created in the “%ProgramFiles%\\Avast Software\\” path, it is highly\r\nlikely that a malicious DLL that was modified by the threat actor was created. Ultimately, the malicious DLL\r\n(wsc.dll) is loaded through the normal file (wsc_proxy.exe), enabling additional malicious behavior to be\r\nperformed. \r\nAs shown in Figure 7, Bisonal malware was detected in the CHM malware that was distributed in November\r\n2022. It is assumed that this type of CHM malware is being distributed by the Tonto Team. The Tonto Team is\r\nconstantly evolving through various means such as using normal software for more elaborate attacks. The number\r\nof distribution cases using CHM has increased in comparison to the past. Users must carefully check the senders\r\nof emails and refrain from opening files from unknown sources. They should also perform routine PC checks and\r\nalways keep their security products updated to the latest version. [File Detection]\r\nhttps://asec.ahnlab.com/en/51746/\r\nPage 3 of 4\n\nDropper/HTML.Generic.SC187758 (2023.04.12.02) Trojan/Win.Agent.C5409945 (2023.04.12.02)\r\nBackdoor/VBS.Generic.SC187759 (2023.04.12.02) \r\nMD5\r\n59f7a3fe0453ca6d27ba3abe78930fdf\r\nd5e6dc253a5584b178ae3c758120da4d\r\nfe1161885005ac85f89accf703ce27bb\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//45[.]133[.]194[.]135[:]8080/fuat/KCaseAgent64[.]exe\r\nhttp[:]//hairouni[.]serveblog[.]net[:]8080/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/51746/\r\nhttps://asec.ahnlab.com/en/51746/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/51746/"
	],
	"report_names": [
		"51746"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "58db0213-4872-41fe-8a76-a7014d816c73",
			"created_at": "2023-01-06T13:46:38.61757Z",
			"updated_at": "2026-04-10T02:00:03.040816Z",
			"deleted_at": null,
			"main_name": "Tonto Team",
			"aliases": [
				"G0131",
				"PLA Unit 65017",
				"Earth Akhlut",
				"TAG-74",
				"CactusPete",
				"KARMA PANDA",
				"BRONZE HUNTLEY",
				"Red Beifang"
			],
			"source_name": "MISPGALAXY:Tonto Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "da483338-e479-4d74-a6dd-1fb09343fd07",
			"created_at": "2022-10-25T15:50:23.698197Z",
			"updated_at": "2026-04-10T02:00:05.355597Z",
			"deleted_at": null,
			"main_name": "Tonto Team",
			"aliases": [
				"Tonto Team",
				"Earth Akhlut",
				"BRONZE HUNTLEY",
				"CactusPete",
				"Karma Panda"
			],
			"source_name": "MITRE:Tonto Team",
			"tools": [
				"Mimikatz",
				"Bisonal",
				"ShadowPad",
				"LaZagne",
				"NBTscan",
				"gsecdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "17d16126-35d7-4c59-88a5-0b48e755e80f",
			"created_at": "2025-08-07T02:03:24.622109Z",
			"updated_at": "2026-04-10T02:00:03.726126Z",
			"deleted_at": null,
			"main_name": "BRONZE HUNTLEY",
			"aliases": [
				"CactusPete ",
				"Earth Akhlut ",
				"Karma Panda ",
				"Red Beifang",
				"Tonto Team"
			],
			"source_name": "Secureworks:BRONZE HUNTLEY",
			"tools": [
				"Bisonal",
				"RatN",
				"Royal Road",
				"ShadowPad"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a",
			"created_at": "2022-10-25T16:07:24.332084Z",
			"updated_at": "2026-04-10T02:00:04.940672Z",
			"deleted_at": null,
			"main_name": "Tonto Team",
			"aliases": [
				"Bronze Huntley",
				"CactusPete",
				"Earth Akhlut",
				"G0131",
				"HartBeat",
				"Karma Panda",
				"LoneRanger",
				"Operation Bitter Biscuit",
				"TAG-74",
				"Tonto Team"
			],
			"source_name": "ETDA:Tonto Team",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Bioazih",
				"Bisonal",
				"CONIME",
				"Dexbia",
				"Korlia",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"POISONPLUG.SHADOW",
				"RoyalRoad",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434573,
	"ts_updated_at": 1775791904,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c255c064008a76ca6f08bb50c494daea3c8e61dd.pdf",
		"text": "https://archive.orkl.eu/c255c064008a76ca6f08bb50c494daea3c8e61dd.txt",
		"img": "https://archive.orkl.eu/c255c064008a76ca6f08bb50c494daea3c8e61dd.jpg"
	}
}