S0268: Bisonal
Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[1][2]
Analyst context for executives and security teams
Bisonal is a Windows remote access tool associated in ATT&CK with long-running espionage activity and use by Tonto Team. Its defensive value is not just “identify this malware,” but validating whether Windows endpoint, network, and registry telemetry can reveal a RAT that performs discovery, command execution, obfuscation, C2 over web or non-application protocols, tool transfer, local data collection, and exfiltration over its command channel.
Executive priority
Prioritize Bisonal as a coverage-validation use case for organizations where Windows endpoints, sensitive local data, or public/private sector operations are material to continuity and confidentiality. Leaders should ask whether SOC and IR teams can reconstruct a remote-access intrusion from host, registry, process, file, and network evidence—not only whether a known hash or signature exists. This object is also useful for audit and risk discussions because ATT&CK links it to data collection and exfiltration behaviors, registry activity, masquerading, and C2 patterns that often determine whether an incident is contained quickly or becomes a broader investigation.
Technical view
For defenders, treat Bisonal as a Windows RAT behavior cluster rather than a single indicator. ATT&CK relationships show use of Windows Command Shell, Visual Basic, Native API execution, registry query and modification, process/system/network/file discovery, file deletion, masquerading, binary padding, software packing, encrypted or encoded files, web-protocol C2, non-application-layer C2, proxying, ingress tool transfer, local data collection, and exfiltration over C2. Validate that endpoint detections correlate suspicious process ancestry, command-line activity, registry reads/writes, unexpected file creation/deletion, packed or padded binaries, and outbound network behavior. Network analytics should account for web traffic blending, encoded C2 content, proxy-mediated paths, and non-application-layer communications where visibility exists.
Likely telemetry
- Windows endpoint process creation, command-line, parent/child process, and script execution records
- Windows Registry query and modification events
- File creation, deletion, rename, path, metadata, and executable inspection telemetry
- Endpoint alerts or metadata indicating packed, padded, encrypted, encoded, or masqueraded binaries
- Host discovery command evidence for system, process, network, time, file, and directory enumeration
Detection direction
- Build detections around behavior chains: discovery followed by registry modification, tool transfer, command execution, C2, local data access, and file deletion is more durable than relying only on static malware identifiers.
- Tune for Windows-specific evidence because the supplied malware platform is Windows, while some related ATT&CK techniques have broader platform descriptions.
- Review masquerading and legitimate-name/location abuse carefully; false positives can occur around administrative tools, software installers, and normal system binaries.
- Inspect encoded or encrypted payload/content and packed binaries as triage leads, not standalone proof of compromise.
- Correlate outbound web-protocol traffic with host process context; common HTTP/S traffic can hide C2 unless process, destination, timing, and content metadata are available.
Mitigation priorities
- Confirm baseline Windows hardening, endpoint protection, and logging coverage for process, registry, file, script, and network activity.
- Restrict and monitor command shell, Visual Basic/script execution, and unnecessary native tool abuse according to business need.
- Apply least privilege and change-control discipline around Registry modification and executable write locations.
- Improve egress controls and monitoring for web-protocol C2, unusual protocols, proxy use, and unauthorized file transfer.
- Strengthen data protection around sensitive local files, including access monitoring and response playbooks for suspected collection and exfiltration.
Analyst notes and limits
The official ATT&CK object identifies Bisonal as a RAT and states it has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010. ATT&CK provides no official detection text for this malware, so this take derives defensive guidance from the supplied relationships to ATT&CK techniques and the Windows platform field.
No official detection guidance, aliases, labels, or object-level tactics were supplied. Technique relationships describe behaviors associated with the malware but do not prove those behaviors will appear in every incident. Local telemetry, asset criticality, network architecture, and confirmed indicators are required before making exposure, attribution, or impact judgments.
Bisonal
Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0131: Tonto Team
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | fa0ae1983029… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Bisonal July 2018
Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
Open source URL -
[2]
Talos Bisonal Mar 2020
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
Open source URL -
[3]
Bisonal
(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)
-
[4]
mitre-attack S0268Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.