3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Tonto Team

Tonto Team

ID: 6a2c459fbcb088e063b54965f138b67481095
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
China UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017). Ref: https://attack.mitre.org/groups/G0131/


Technique Technique name Tactics Evidence
T1056.001 Keylogging TA0006 TA0009
  • Input Capture: Keylogging - Tonto Team has used keylogging tools in their operations. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Tonto Team has used PowerShell to download additional payloads. · ref
T1059.006 Python TA0002
  • Command and Scripting Interpreter: Python - Tonto Team has used Python-based tools for execution. · ref
T1069.001 Local Groups TA0007
  • Permission Groups Discovery: Local Groups - Tonto Team has used the ShowLocalGroupDetails command to identify administrator, user, and guest accounts on a compromised host. · ref
T1090.002 External Proxy TA0011
  • Proxy: External Proxy - Tonto Team has routed their traffic through an external server in order to obfuscate their location. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Tonto Team has relied on user interaction to open their malicious RTF documents. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Tonto Team has delivered payloads via spearphishing attachments. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.