analyst@nohacky:~/threat-actors$
cat/threat-actors/tonto-team
analyst@nohacky:~/tonto-team.html
active threatprofile
typeNation-State
threat_levelHigh
statusActive
originChina — PLA-linked
mitreG0131
last_updated2026-03-27
TT
tonto-team

Tonto Team / CactusPete

also known as: CactusPete Karma Panda Earth Akhlut Bronze Huntley HeartBeat TAG-74 assessed unit: PLA Unit 65017 mitre: G0131

A long-running Chinese espionage group — active since at least 2009 — that has spent over a decade targeting South Korea, Japan, and Taiwan before expanding east to include Russia and Eastern Europe. The Russia targeting is strategically notable: China publicly aligned with Russia as a "comprehensive strategic partner" while simultaneously running espionage campaigns against Russian scientific enterprises, government agencies, and telecommunications organizations. Assessed as a unit of the People's Liberation Army, Tonto Team is characterized by persistent medium-sophistication operations — it lacks advanced techniques but compensates through high operational tempo, rapid malware iteration (over 20 Bisonal samples per month at peak), and well-researched spearphishing lures that continue to succeed against patched environments years after vulnerability disclosure.

attributed originChina — PLA Unit 65017 (assessed)
mitre group idG0131 (Tonto Team)
active sinceAt least 2009 (Heartbeat Campaign)
primary motivationGovernment and military espionage, IP theft
defining characteristicEspionage against Russia — strategic partner anomaly
Primary sectors: Government, Military, Finance, Energy, Telecom
target regionsSouth Korea, Japan, Taiwan, Russia, Eastern Europe, US
primary malwareBisonal RAT, ShadowPad, DoubleT, QuickMute
current statusACTIVE — ongoing campaigns documented 2022–2023

Overview

Tonto Team has been conducting cyber espionage operations since at least 2009 — when it was first tracked under the Heartbeat Campaign name — making it one of China's longest-running continuously active APT programs. The group is assessed by the US-China Economic and Security Review Commission as likely a unit of the People's Liberation Army, with PLA Unit 65017 the most specific identified designation in open-source reporting. This PLA linkage aligns Tonto Team's targeting squarely with Chinese military intelligence requirements rather than civilian intelligence or economic objectives.

The group operates across two vendor naming conventions that frequently cause confusion in reporting. Kaspersky tracks the group as CactusPete; Microsoft and many other vendors use Tonto Team. Both names refer to the same actor. Additional aliases — Karma Panda (CrowdStrike), Earth Akhlut (Trend Micro), Bronze Huntley (SecureWorks), HeartBeat (historical, from the 2009 campaign), and TAG-74 — reflect independent tracking by different vendors using different naming schemes.

Tonto Team's technical profile sits at what Kaspersky explicitly characterizes as "medium-level" sophistication. The Bisonal backdoor — the group's primary tool for over a decade — is straightforward code without sophisticated obfuscation. The Royal Road RTF exploitation toolkit used for initial access exploits vulnerabilities in Microsoft Equation Editor that were patched years before the campaigns that use them. Yet this medium-sophistication approach has been consistently successful, which SentinelOne's Tom Hegel attributed to the continued failure of target organizations to apply multi-year-old patches: "They're popping people that are out of date by quite a few years." The group compensates for technical simplicity with volume — at peak documented activity, Bisonal variants were being released at a rate exceeding 20 new samples per month, and over 300 nearly identical samples were deployed between March 2019 and April 2020 alone.

The strategic complexity of Tonto Team's targeting lies in its Russian operations. China and Russia formally describe their relationship as a "comprehensive strategic partnership of coordination" — a diplomatic alignment that became increasingly prominent after 2022's Ukraine invasion. Yet Tonto Team's campaigns against Russian scientific and technical enterprises, government agencies, and telecommunications organizations — documented continuously across multiple years and accelerating after the Ukraine invasion — demonstrate that PRC intelligence collection requirements from inside Russia have persisted or intensified despite the public diplomatic alignment. SentinelOne assessed this as "a potential Chinese government increase in intelligence collection requirements from inside Russia," framing it as expanding requirements rather than hostile intent — but the operational reality is that a PLA-linked unit is actively compromising Russian government systems.

A notable 2023 incident involved Tonto Team's unsuccessful spearphishing attempt against Group-IB — a cybersecurity firm — which became the second documented failed attack on the same organization after a 2021 attempt. The attacker's failure provided Group-IB with detailed forensic insight into Tonto Team's current toolchain, including the Bisonal.DoubleT backdoor and a previously undocumented downloader named QuickMute (also identified by CERT-UA). The group's willingness to directly target cybersecurity firms — as potential supply-chain pivot points to their clients — marks a continued evolution in targeting priority.

Target Profile

Tonto Team's targeting has expanded from a concentrated Northeast Asia focus to a global footprint aligned with PRC strategic intelligence priorities across multiple dimensions.

  • South Korea (primary, historical core): South Korea has been a defining target since the group's earliest documented operations. Military and defense organizations were the primary focus, with the 2017 THAAD campaign demonstrating the group's responsiveness to PRC strategic priorities — targeting organizations involved in deploying an American anti-ballistic missile defense system. Education, diplomatic, political, and construction sectors in South Korea have also been targeted in more recent campaigns documented through 2023. The 2022 and 2023 campaigns used CHM files and legitimate anti-malware product binary files to side-load Bisonal, demonstrating continued technical adaptation for South Korean targeting.
  • Japan and Taiwan: Consistently targeted alongside South Korea as part of the Northeast Asia intelligence collection mission. Government, military, and critical infrastructure organizations in both countries have appeared in documented Tonto Team victim lists across multiple campaign waves. Taiwan targeting aligns directly with PLA intelligence requirements related to cross-strait military assessment.
  • Russia — Government, Scientific, and Technical Organizations: The strategically anomalous targeting category. Russian scientific and technical enterprises and government agencies were targeted coinciding with Russia's military invasion of Ukraine in 2022, with SentinelOne noting a notable increase in targeting activity and interpreting it as expanded Chinese intelligence collection requirements inside Russia. Russian telecommunications organizations have also been targeted. The phishing infrastructure used in these campaigns spoofed RU-CERT (Russia's cybersecurity incident response center) and Russian telecommunications regulatory bodies — demonstrating institutional knowledge of Russian government structure used to craft convincing lures.
  • Eastern Europe — Military and Financial: Kaspersky documented Bisonal campaigns targeting financial and military sector organizations in Eastern European countries between March 2019 and April 2020, with the Bisonal variant hardcoding a Cyrillic codepage for correct handling of Russian-language command output — indicating deliberate adaptation for Eastern European Windows environments. Telecom and governmental organizations in Asia and Eastern Europe were also targeted in the DoubleT backdoor campaign.
  • IT and Cybersecurity Companies: Documented attacks against Group-IB (March 2021 and June 2022) reflect a targeting pattern common to Chinese APT groups seeking supply chain access — compromising a security vendor provides potential access to its client base and intelligence on the group's own exposure.
  • Broader Sector Coverage: MITRE ATT&CK documents Tonto Team targeting across government, military, energy, mining, financial, education, healthcare, and technology sectors. ShadowPad campaigns specifically targeted defense, energy, government, mining, and telecommunications entities in Asia and Eastern Europe.

Tactics, Techniques & Procedures

Tonto Team's TTP set is highly consistent across campaigns and years — the same tools, the same delivery chain, and the same vulnerability classes appear repeatedly. This consistency provides strong attribution anchors but also suggests the group operates within a structured, directive-based tasking environment rather than experimenting freely.

mitre idtechniquedescription
T1566.001 Spear-Phishing — RTF Attachment Royal Road (also called 8.t Dropper) is the primary delivery mechanism — a toolkit shared among at least seven Chinese APT groups that weaponizes RTF files to exploit Microsoft Equation Editor vulnerabilities. Tonto Team primarily leverages CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798. These vulnerabilities were patched in 2017–2018 yet continue to be effective against unpatched systems years later. Lure content is carefully matched to the target — Russian-language documents spoofing government communications for Russian targets; Korean-language materials referencing relevant political, diplomatic, or military content for South Korean targets.
T1566.001 Spear-Phishing — CHM and DLL Side-Loading (South Korea) A 2023 South Korean campaign documented by ASEC used Microsoft Compiled HTML Help (CHM) files — a less common but harder-to-detect delivery mechanism. The CHM file runs a binary that side-loads a malicious DLL (slc.dll), which launches the open-source VBScript backdoor ReVBShell (shared with Chinese actor Tick). ReVBShell then downloads a genuine Avast software configuration file used to side-load a second rogue DLL, ultimately deploying Bisonal. This multi-stage DLL side-loading chain exploits legitimate software to evade detection.
T1078 Valid Accounts — Compromised Corporate Email Trend Micro documented Tonto Team's use of legitimate corporate email addresses — obtained through earlier phishing operations — to send malicious attachments to other users within or associated with the same organization. This technique dramatically increases the credibility of lure emails since they originate from a trusted internal address and may bypass external email security controls that focus on inbound messages from unknown senders.
T1190 Exploit Public-Facing Application — ProxyLogon In March 2021, Tonto Team was among at least 10 APT groups exploiting the ProxyLogon Microsoft Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-27065) to strike cybersecurity and procurement companies in Eastern Europe. This exploit-based initial access complements the group's more common phishing-based approach and demonstrates the group can adopt opportunistic vulnerability exploitation when high-value vulnerabilities are available.
T1071.001 Application Layer Protocol — Bisonal RAT C2 The Bisonal backdoor communicates with C2 infrastructure via HTTP or HTTPS, using a periodic ping-based polling model. The C2 server responds to pings with command payloads when commands are ready. Bisonal's C2 protocol has been documented in detail by Kaspersky, with the backdoor waiting for commands after a handshake and periodically re-contacting the server. The variant targeting Eastern Europe hardcoded a Cyrillic codepage for handling Russian-language command output — indicating deliberate regional adaptation.
T1003.001 Credential Dumping — Mimikatz Variants Kaspersky documented Tonto Team's continuous use of custom Mimikatz variants and keyloggers for credential harvesting, alongside privilege escalation malware for obtaining elevated access to protected systems and data. These post-exploitation tools are deployed after initial access is established via Bisonal and are used to support lateral movement and deeper network penetration.
T1072 Software Deployment Tools — ShadowPad Distribution From late 2019, Tonto Team began deploying ShadowPad (also known as PoisonPlug) — a modular backdoor platform associated with multiple Chinese state APT groups and assessed as supplied by a Chinese digital quartermaster infrastructure rather than developed exclusively by Tonto Team. ShadowPad's presence in Tonto Team operations alongside its own Bisonal toolset suggests the group has access to shared Chinese state offensive infrastructure. ShadowPad was deployed against defense, energy, government, mining, and telecom targets in Asia and Eastern Europe.
espionage against a declared strategic partner

Tonto Team's campaigns against Russian government, scientific, and telecommunications organizations run in parallel to China's official "comprehensive strategic partnership of coordination" with Russia — a diplomatic posture that became more prominent after February 2022. SentinelOne assessed the increased Russian targeting as reflecting expanded PRC intelligence collection requirements from inside Russia, likely driven by the need to independently assess Russian military capability, intentions, and vulnerabilities as the Ukraine war developed. The campaigns used RU-CERT spoofing and Russian telecom regulatory body impersonation, indicating deliberate knowledge of Russian government structure to maximize lure credibility. This is a concrete example of the gap between states' official diplomatic postures and their actual intelligence operations against one another.

Known Campaigns

Tonto Team's documented operational history spans fifteen years of continuous activity with multiple named campaign waves across distinct target geographies.

Heartbeat Campaign — Northeast Asia Foundation 2009–2012

The Heartbeat Campaign represents the earliest documented Tonto Team activity, targeting military, government, and intelligence organizations across South Korea, Japan, Taiwan, and the United States. This campaign established the group's defining targeting focus on Northeast Asian government and military targets aligned with PLA intelligence priorities. The Heartbeat Campaign name reflects the periodic C2 check-in behavior observed in early Bisonal samples — a behavior that has persisted across multiple subsequent Bisonal generations.

Operation Bitter Biscuit — THAAD Response 2017

In 2017, researchers documented Tonto Team conducting targeted attacks against South Korean entities involved in or associated with the deployment of the Terminal High Altitude Area Defense (THAAD) anti-ballistic missile system — a US-supplied system whose installation in South Korea was a major source of diplomatic tension with China. The THAAD targeting demonstrated the group's responsiveness to PRC strategic priorities: an American military capability deployed on the Korean Peninsula that Beijing objected to became a direct intelligence collection requirement that Tonto Team was tasked to address. This campaign, referenced in the US-China Economic and Security Review Commission analysis, is the primary basis for the PLA attribution assessment.

Eastern Europe Bisonal Campaign — Military and Finance March 2019 – April 2020

Kaspersky documented a sustained campaign targeting financial and military sector organizations in Eastern Europe using a new Bisonal variant. Over the 13-month campaign period, researchers identified over 300 nearly identical Bisonal samples — a production rate exceeding 20 samples per month — demonstrating the group's high operational tempo and continuous malware iteration even within a single campaign. The Bisonal variant hardcoded a Cyrillic codepage for correct handling of Russian-language command output, indicating deliberate adaptation for Eastern European Windows environments. Kaspersky's investigation began from a single sample and expanded using the Kaspersky Threat Attribution Engine to identify the full sample cluster.

ShadowPad Expansion — Defense, Energy, Mining, Telecom Late 2019 – 2020

From late 2019, Kaspersky documented Tonto Team deploying ShadowPad alongside its native Bisonal toolset against a broader target set: defense, energy, government, mining, and telecommunications entities across Asia and Eastern Europe. ShadowPad's appearance in Tonto Team operations — the same modular backdoor platform used by multiple other Chinese state APT groups — raised assessments that the group either shares tools with other Chinese actors or has access to centralized PRC offensive infrastructure (a "digital quartermaster"). The DoubleT backdoor campaign, targeting telecom and government organizations in Asia and Eastern Europe, also ran during this period.

ProxyLogon Exploitation — Eastern European Cybersecurity and Procurement Companies March 2021

When Microsoft disclosed the ProxyLogon Exchange Server vulnerabilities (CVE-2021-26855 and related) in March 2021, Tonto Team was among at least 10 APT groups identified exploiting them before mass patching occurred. Tonto Team used ProxyLogon against cybersecurity and procurement companies in Eastern Europe — a targeting choice reflecting both the supply-chain intelligence value of cybersecurity firm compromise and the group's expansion into European targeting. This exploitation demonstrated that Tonto Team can operate opportunistically via internet-facing vulnerabilities in addition to its primary spearphishing model.

Russia Targeting Acceleration — Ukraine War Intelligence Collection 2022 onward

Coinciding with Russia's invasion of Ukraine in February 2022, SentinelOne documented a notable increase in Tonto Team's targeting of Russian organizations using Royal Road RTF exploits and Bisonal. Phishing infrastructure spoofed RU-CERT (Russia's cybersecurity incident response center) and Russian government telecommunications regulatory bodies — institutions that Russian enterprises would treat as credible senders. The campaigns exploited CVE-2018-0798 in Microsoft Office documents targeting Russian scientific and technical enterprises and government agencies. The timing suggested expanded PRC intelligence requirements driven by the need to independently assess Russian military developments and vulnerabilities during an active conflict in which China maintained official neutrality.

Group-IB Targeting — Failed Cybersecurity Firm Attacks March 2021 and June 2022

Tonto Team attempted spearphishing attacks against Group-IB employees twice — in March 2021 and again in June 2022, both of which were detected and blocked. The June 2022 attempt used Russian-language phishing emails crafted to appear from legitimate company employees, delivered via GMX Mail free email accounts. The malicious Office documents were weaponized with Royal Road and deployed Bisonal.DoubleT alongside a new downloader — QuickMute (later independently identified by CERT-UA) — for next-stage payload retrieval. The failed attack provided Group-IB with detailed forensic visibility into Tonto Team's current toolchain. The group's repeated targeting of the same cybersecurity firm reflects its assessment that supply-chain access to a security vendor's client base justifies the operational risk of being exposed by the target.

Tools & Malware

Tonto Team's toolkit is dominated by Bisonal — a backdoor the group has maintained and iterated for over fifteen years — supplemented by shared Chinese APT infrastructure tools including Royal Road and ShadowPad.

  • Bisonal RAT (and Bisonal.DoubleT): Tonto Team's primary and defining tool, in continuous use and development since at least 2009. A remote access Trojan notable for being used exclusively by Chinese APT groups — no non-Chinese actor has been documented using Bisonal. Capabilities include remote shell access, file upload/download, process enumeration, system information gathering, and C2 polling via HTTP/HTTPS. The code is described by Kaspersky as "not that advanced" — straightforward without sophisticated obfuscation — yet has remained operationally effective across more than fifteen years of deployment. Kaspersky documented over 300 nearly identical samples deployed in a single 13-month period. The DoubleT variant (also tracked as DOUBLEPIPE) is a more recent iteration documented in Group-IB's 2022 analysis.
  • Royal Road RTF Weaponizer (8.t Dropper): A shared toolkit used by at least seven Chinese APT groups to create malicious RTF documents exploiting Microsoft Equation Editor vulnerabilities (CVE-2017-11882, CVE-2018-0802, CVE-2018-0798). Royal Road generates decoy-containing RTF files that trigger the vulnerability on opening, dropping the embedded payload. The toolkit's shared use across multiple Chinese groups makes it a strong indicator of Chinese state activity but a weak indicator for specific group attribution. The vulnerabilities it exploits were patched in 2017–2018 but continue to be effective against unpatched environments.
  • ShadowPad (PoisonPlug): A modular backdoor platform first identified in Tonto Team operations in late 2019 and assessed as supplied to multiple Chinese state APT groups through a shared offensive infrastructure program. ShadowPad provides significantly more capability than Bisonal and was deployed against higher-value targets (defense, energy, mining). Its presence in Tonto Team operations alongside native tooling suggests the group has access to centralized PRC cyber offensive resources.
  • QuickMute (TontoTeam.Downloader): A downloader first identified in the June 2022 Group-IB attack attempt, responsible for retrieving next-stage payloads from remote servers. Independently identified by CERT-UA under the name QuickMute. Represents a previously undocumented component in Tonto Team's delivery chain, suggesting continued active development of new tooling.
  • DoubleT Backdoor (DOUBLEPIPE): A separate backdoor variant from Bisonal, used in a December 2019–April 2020 campaign targeting telecom and governmental organizations in Asia and Eastern Europe. Tracked under both DoubleT and DOUBLEPIPE names in vendor reporting.
  • ReVBShell: An open-source VBScript backdoor used in the 2023 South Korean CHM delivery chain, notably also associated with the Chinese actor Tick — suggesting shared tooling between Tonto Team and at least one other PLA-linked group, or access to a common tool repository.
  • Custom Mimikatz Variants and Keyloggers: Post-exploitation credential theft tools deployed after initial Bisonal foothold is established. Kaspersky documented the continuous use of custom Mimikatz variants alongside keyloggers for credential harvesting and privilege escalation malware for accessing protected systems.

Indicators of Compromise

Tonto Team's most durable detection indicators are behavioral and tool-based. Infrastructure rotates between campaigns, but the Royal Road RTF delivery chain, Bisonal C2 communication patterns, and specific CVE exploitation remain consistent attribution anchors.

delivery chain indicators — royal road rtf
exploitsCVE-2017-11882, CVE-2018-0802, CVE-2018-0798 — Microsoft Equation Editor, triggered via RTF attachment
file typeRTF files with embedded Equation Editor exploit objects — often with legitimate-appearing decoy documents
metadataDocument creator OS metadata in Simplified Chinese — documented across multiple campaigns
namingLure filenames reference geopolitically relevant topics in target language (Russian government docs, Korean defense topics)
2023 altCHM file → slc.dll side-load → ReVBShell → Avast config binary → second DLL side-load → Bisonal
bisonal rat behavioral indicators
behaviorPeriodic HTTP/HTTPS polling to C2 server after initial handshake — characteristic ping-wait-command pattern
codepageHardcoded Cyrillic codepage in Eastern Europe-targeting variants — detectable via static analysis
shared infraIP addresses shared with previously documented Tonto Team infrastructure — cross-campaign pivoting
downloaderQuickMute (TontoTeam.Downloader) — HTTPS retrieval of next-stage payload from remote server
exclusivityBisonal used exclusively by Chinese APT groups — presence strongly indicates Chinese state actor

Mitigation & Defense

Tonto Team's primary initial access vector — exploiting Microsoft Equation Editor vulnerabilities via Royal Road RTF files — has a straightforward defensive answer: patch. The same vulnerabilities are also exploited via ProxyLogon when available. The group's continued success against unpatched environments fifteen years into operation reflects persistent patching failures in the target sector rather than novel attacker capability.

  • Patch Microsoft Equation Editor vulnerabilities immediately: CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798 have been patched since 2017–2018 yet Tonto Team campaigns using them were documented in 2022. Any Windows environment running unpatched versions of Microsoft Office is directly exposed to the group's primary initial access method. Microsoft also released an option to permanently disable the legacy Equation Editor component — organizations should apply this configuration change on all endpoints where Equation Editor is not a business requirement.
  • Block or alert on CHM file attachments at email gateways: The 2023 South Korean campaigns used CHM files — a less common attachment type. Email security gateways should be configured to flag or quarantine CHM file attachments, which have limited legitimate business uses and are increasingly used as a delivery mechanism by threat actors to bypass defenses focused on Office macro detection.
  • Detect Royal Road RTF files via behavioral analysis: YARA rules and file scanning for Royal Road's characteristic RTF structure have been published by multiple vendors. These detection rules identify weaponized RTF files before execution regardless of which specific payload they drop, providing a delivery-chain detection capability that remains valid across Tonto Team and the other six Chinese APT groups documented using Royal Road.
  • Monitor for Bisonal C2 communication patterns: Bisonal's HTTP-based C2 polling pattern — periodic outbound HTTP/HTTPS requests to external IPs from endpoints that are not otherwise making similar requests — is detectable via network behavioral analysis. Organizations with high-value targets in Tonto Team's documented geographies should monitor for this pattern and correlate against threat intelligence feeds that track Tonto Team infrastructure.
  • Alert on DLL side-loading from legitimate software directories: The 2023 South Korean campaign used DLL side-loading from a legitimate Avast software configuration file. EDR solutions that monitor for DLL side-loading — particularly legitimate vendor binaries loading unexpected DLLs from their installation directories — provide detection capability for this evasion technique regardless of the specific payload being delivered.
  • Apply privileged email trust verification: Tonto Team's documented use of compromised legitimate corporate email addresses to send phishing to other employees requires defenses that go beyond sender domain verification. DMARC, DKIM, and SPF help verify external sender legitimacy but do not detect internal account compromise. Behavioral analysis of email sending patterns — alerts on accounts sending links or attachments to large numbers of colleagues they don't typically email, or sending files significantly larger than their historical norm — provides detection capability for this technique.
  • Patch Microsoft Exchange on an emergency cadence: ProxyLogon was exploited by Tonto Team within the disclosure window. Exchange Server patching should be treated as a priority patching category given its documented targeting by multiple Chinese APT groups including Tonto Team, Gallium, and others.
analyst note — shared tooling and attribution complexity

Tonto Team's use of Royal Road (shared with at least six other Chinese APT groups), ShadowPad (also shared across multiple groups), and ReVBShell (shared with Tick) complicates precise attribution. These tools are strong indicators of Chinese state activity but do not by themselves distinguish between Tonto Team and other PLA-linked actors. The combination of Bisonal — which is used exclusively by Chinese groups and has a fifteen-year attribution anchor — alongside the Royal Road delivery chain and the specific targeting geography (South Korea, Japan, Russia) provides the multi-factor attribution basis. Defenders should prioritize the behavioral detection approach rather than static IOC matching: the shared tooling across Chinese APT clusters means that detecting the delivery chain and post-exploitation behavior is more reliable than attributing to a specific actor before taking defensive action.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile