Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Tonto Team

🌐Tonto Team

🌐 Tonto Team is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 15 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0131) ↗
14Use cases
0Articles
15Techniques
0IOCs

About this actor (MITRE)

[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPet

Known aliases

Tonto TeamEarth AkhlutBRONZE HUNTLEYCactusPeteKarma Panda

Top techniques

T1003 · OS Credential DumpingT1056.001 · KeyloggingT1059.001 · PowerShell

All other tracked techniques

T1059.006 · PythonT1068 · Exploitation for Privilege EscalationT1069.001 · Local GroupsT1090.002 · External ProxyT1105 · Ingress Tool TransferT1135 · Network Share DiscoveryT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileT1210 · Exploitation of Remote ServicesT1505.003 · Web ShellT1566.001 · Spearphishing AttachmentT1574.001 · DLL

Detection use cases (14)

Tonto Team / CactusPete: Equation Editor (eqnedt32.exe) exploit chain spawning code execution (CVE-2017-11882 / CVE-2018-0798) AI · profile SΣ Tonto Team Bisonal/ShadowPad DLL search-order hijacking via legitimate signed binary in user-writable path AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match