| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.
| 2024-03-18
⋅
Trend Micro
⋅
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks DinodasRAT PlugX Reshell ShadowPad Earth Krahang |
| 2024-03-05
⋅
Reliaquest
⋅
Anxun and Chinese APT Activity ShadowPad |
| 2024-03-01
⋅
HarfangLab
⋅
A Comprehensive Analysis of i-SOON’s Commercial Offering ShadowPad Winnti |
| 2024-02-21
⋅
YouTube (SentinelOne)
⋅
LABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor 9002 RAT PlugX ShadowPad Spyder Earth Lusca |
| 2024-02-09
⋅
Hunt.io
⋅
Tracking ShadowPad Infrastructure Via Non-Standard Certificates ShadowPad |
| 2024-01-09
⋅
Recorded Future
⋅
2023 Adversary Infrastructure Report AsyncRAT Cobalt Strike Emotet PlugX ShadowPad |
| 2023-11-07
⋅
Youtube (Virus Bulletin)
⋅
Possible supply chain attack targeting South Asian government delivers Shadowpad ShadowPad |
| 2023-10-04
⋅
Trend Micro
⋅
Possible supply chain attack targeting Pakistan government delivers ShadowPad ShadowPad |
| 2023-10-04
⋅
Trend Micro
⋅
Possible supply chain attack targeting Pakistan government delivers Shadowpad (Slides) ShadowPad |
| 2023-09-22
⋅
Palo Alto Networks Unit 42
⋅
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda Cobalt Strike MimiKatz RemCom ShadowPad TONESHELL |
| 2023-09-19
⋅
Recorded Future
⋅
Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities Korlia Tonto Team |
| 2023-09-12
⋅
Symantec
⋅
Redfly: Espionage Actors Continue to Target Critical Infrastructure ShadowPad Redfly |
| 2023-08-07
⋅
Recorded Future
⋅
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca |
| 2023-07-14
⋅
Trend Micro
⋅
Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad ShadowPad DriftingCloud Tonto Team |
| 2023-05-15
⋅
Symantec
⋅
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors Merdoor PlugX ShadowPad ZXShell Lancefly |
| 2023-04-05
⋅
Medium Ilandu
⋅
PortDoor - APT Backdoor analysis ACBackdoor 8.t Dropper PortDoor |
| 2023-03-07
⋅
Check Point Research
⋅
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities 5.t Downloader 8.t Dropper Soul |
| 2023-02-07
⋅
MalGamy
⋅
The Approach of TA413 for Tibetan Targets 8.t Dropper LOWZERO |
| 2023-02-02
⋅
Elastic
⋅
Update to the REF2924 intrusion set and related campaigns DoorMe ShadowPad SiestaGraph |
| 2022-10-25
⋅
VMware Threat Analysis Unit
⋅
Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning ShadowPad Winnti |
| 2022-09-30
⋅
NCC Group
⋅
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion ShadowPad |
| 2022-09-26
⋅
Youtube (Virus Bulletin)
⋅
Tracking the entire iceberg long term APT malware C2 protocol emulation and scanning ShadowPad Winnti |
| 2022-09-22
⋅
Recorded Future
⋅
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets 8.t Dropper LOWZERO |
| 2022-09-19
⋅
Virus Bulletin
⋅
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning ShadowPad Winnti |
| 2022-09-13
⋅
Symantec
⋅
New Wave of Espionage Activity Targets Asian Governments MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
| 2022-09-06
⋅
ESET Research
⋅
Worok: The big picture MimiKatz PNGLoad reGeorg ShadowPad Worok |
| 2022-07-07
⋅
Sentinel LABS
⋅
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs 8.t Dropper Korlia Tonto Team |
| 2022-07-01
⋅
RiskIQ
⋅
ToddyCat: A Guided Journey through the Attacker's Infrastructure ShadowPad ToddyCat |
| 2022-06-27
⋅
Kaspersky ICS CERT
⋅
Attacks on industrial control systems using ShadowPad Cobalt Strike PlugX ShadowPad |
| 2022-06-22
⋅
⋅
Cert-UA
⋅
Cyberattacks by China-associated groups against Russian scientific and technical enterprises and government agencies (CERT-UA#4860) QUICKMUTE |
| 2022-05-17
⋅
Positive Technologies
⋅
Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
| 2022-05-12
⋅
TEAMT5
⋅
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides) KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu |
| 2022-05-02
⋅
Sentinel LABS
⋅
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad PlugX ShadowPad Moshen Dragon |
| 2022-04-08
⋅
The Register
⋅
China accused of cyberattacks on Indian power grid ShadowPad |
| 2022-04-06
⋅
Recorded Future
⋅
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group ShadowPad |
| 2022-04-06
⋅
Recorded Future
⋅
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38) ShadowPad |
| 2022-02-23
⋅
Dragos
⋅
2021 ICS OT Cybersecurity Year In Review ShadowPad |
| 2022-02-15
⋅
The Hacker News
⋅
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA ShadowPad |
| 2022-02-15
⋅
Secureworks
⋅
ShadowPad Malware Analysis ShadowPad |
| 2022-01-17
⋅
Trend Micro
⋅
Delving Deep: An Analysis of Earth Lusca’s Operations BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca |
| 2021-12-17
⋅
FBI
⋅
AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515) ShadowPad |
| 2021-12-16
⋅
TEAMT5
⋅
Winnti is Coming - Evolution after Prosecution Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder |
| 2021-12-08
⋅
PWC UK
⋅
Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad ShadowPad Earth Lusca |
| 2021-11-19
⋅
insomniacs(Medium)
⋅
It’s a BEE! It’s a… no, it’s ShadowPad. ShadowPad |
| 2021-11-04
⋅
Youtube (Virus Bulletin)
⋅
ShadowPad: the masterpiece of privately sold malware in Chinese espionage PlugX ShadowPad |
| 2021-10-26
⋅
Kaspersky
⋅
APT attacks on industrial organizations in H1 2021 8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
| 2021-09-01
⋅
YouTube (Hack In The Box Security Conference)
⋅
SHADOWPAD: Chinese Espionage Malware-as-a-Service PlugX ShadowPad |
| 2021-08-23
⋅
SentinelOne
⋅
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage PlugX ShadowPad |
| 2021-08-19
⋅
Sentinel LABS
⋅
ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage ShadowPad |
| 2021-08-12
⋅
Sentinel LABS
⋅
ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage ShadowPad Earth Lusca |
| 2021-07-08
⋅
⋅
PTSecurity
⋅
How winnti APT grouping works Korlia ShadowPad Winnti |
| 2021-07-08
⋅
Recorded Future
⋅
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling ShadowPad Spyder Winnti |
| 2021-07-08
⋅
⋅
YouTube (PT Product Update)
⋅
How winnti APT grouping works Korlia ShadowPad Winnti |
| 2021-04-29
⋅
NTT
⋅
The Operations of Winnti group Cobalt Strike ShadowPad Spyder Winnti Earth Lusca |
| 2021-03-29
⋅
The Record
⋅
RedEcho group parks domains after public exposure PlugX ShadowPad RedEcho |
| 2021-03-10
⋅
ESET Research
⋅
Exchange servers under siege from at least 10 APT groups Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
| 2021-02-28
⋅
Recorded Future
⋅
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions Icefog PlugX ShadowPad |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2021-02-28
⋅
Recorded Future
⋅
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions PlugX ShadowPad RedEcho |
| 2021-02-23
⋅
CrowdStrike
⋅
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
| 2021-02-05
⋅
Twitter (@8th_grey_owl)
⋅
Tweet on CALMTHORN, used by Tonto Team CALMTHORN |
| 2021-01-14
⋅
PTSecurity
⋅
Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
| 2021-01-13
⋅
AlienVault
⋅
A Global Perspective of the SideWinder APT 8.t Dropper Koadic SideWinder |
| 2021-01-04
⋅
nao_sec blog
⋅
Royal Road! Re:Dive 8.t Dropper Chinoxy FlowCloud FunnyDream Lookback |
| 2020-12-10
⋅
ESET Research
⋅
Operation StealthyTrident: corporate software under attack HyperBro PlugX ShadowPad Tmanger |
| 2020-11-23
⋅
Youtube (OWASP DevSlop)
⋅
Compromised Compilers - A new perspective of supply chain cyber attacks ShadowPad |
| 2020-11-03
⋅
Kaspersky Labs
⋅
APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
| 2020-10-30
⋅
YouTube (Kaspersky Tech)
⋅
Around the world in 80 days 4.2bn packets Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti |
| 2020-10-27
⋅
Dr.Web
⋅
Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
| 2020-10-03
⋅
Trend Micro
⋅
Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure Dexbia TypeHash |
| 2020-09-18
⋅
Symantec
⋅
APT41: Indictments Put Chinese Espionage Group in the Spotlight CROSSWALK PlugX poisonplug ShadowPad Winnti |
| 2020-09-16
⋅
RiskIQ
⋅
RiskIQ: Adventures in Cookie Land - Part 2 8.t Dropper Chinoxy Poison Ivy |
| 2020-09-08
⋅
PTSecurity
⋅
ShadowPad: new activity from the Winnti group CCleaner Backdoor Korlia ShadowPad TypeHash |
| 2020-08-19
⋅
NTT Security
⋅
Operation LagTime IT: Colorful Panda Footprint 8.t Dropper Cotx RAT Poison Ivy TA428 |
| 2020-08-19
⋅
RiskIQ
⋅
RiskIQ Adventures in Cookie Land - Part 1 8.t Dropper Chinoxy |
| 2020-08-13
⋅
Kaspersky Labs
⋅
CactusPete APT group’s updated Bisonal backdoor Korlia Tonto Team |
| 2020-07-29
⋅
Kaspersky Labs
⋅
APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
| 2020-07-14
⋅
CrowdStrike
⋅
Manufacturing Industry in the Adversaries’ Crosshairs ShadowPad Snake |
| 2020-06-25
⋅
Dr.Web
⋅
BackDoor.ShadowPad.1 ShadowPad |
| 2020-06-03
⋅
Kaspersky Labs
⋅
Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing |
| 2020-03-21
⋅
MalwareLab.pl
⋅
On the Royal Road 8.t Dropper |
| 2020-03-20
⋅
Medium Sebdraven
⋅
New version of chinoxy backdoor using COVID19 alerts document lure 8.t Dropper Chinoxy |
| 2020-03-12
⋅
Check Point Research
⋅
Vicious Panda: The COVID Campaign 8.t Dropper Vicious Panda |
| 2020-03-12
⋅
Check Point
⋅
Vicious Panda: The COVID Campaign 8.t Dropper BYEBY Enfal Korlia Poison Ivy |
| 2020-03-11
⋅
Virus Bulletin
⋅
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers 8.t Dropper |
| 2020-03-05
⋅
Cisco Talos
⋅
Bisonal: 10 years of play Korlia |
| 2020-03-05
⋅
⋅
AhnLab
⋅
신천지 비상연락처 위장한 Bisonal 악성코드 유포 중 Korlia |
| 2020-03-04
⋅
CrowdStrike
⋅
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-03-03
⋅
PWC UK
⋅
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
| 2020-01-31
⋅
ESET Research
⋅
Winnti Group targeting universities in Hong Kong ShadowPad Winnti |
| 2020-01-29
⋅
nao_sec blog
⋅
An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
| 2020-01-17
⋅
⋅
NTT Security
⋅
Operation Bitter Biscuit Korlia |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE HUNTLEY Korlia |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions APT1 APT10 APT2 APT26 APT3 APT30 APT41 Naikon Tonto Team |
| 2019-10-07
⋅
ESET Research
⋅
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group LOWKEY shadowhammer ShadowPad |
| 2019-09-23
⋅
MITRE
⋅
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
| 2019-09-22
⋅
Check Point Research
⋅
Rancor: The Year of The Phish 8.t Dropper Cobalt Strike |
| 2019-07-23
⋅
Proofpoint
⋅
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia 8.t Dropper Cotx RAT Poison Ivy TA428 |
| 2019-05-09
⋅
Youtube (FireEye Korea)
⋅
Over the Horizon: Innovating to confront evolving cyber threats CALMTHORN |
| 2019-04-25
⋅
⋅
DATANET
⋅
Chinese-based hackers attack domestic energy institutions CALMTHORN Ghost RAT |
| 2019-04-23
⋅
Kaspersky Labs
⋅
Operation ShadowHammer: a high-profile supply chain attack shadowhammer ShadowPad |
| 2019-04-22
⋅
Trend Micro
⋅
C/C++ Runtime Library Code Tampering in Supply Chain shadowhammer ShadowPad Winnti |
| 2019-03-22
⋅
AhnLab
⋅
ASEC REPORT VOL.93 Q4 2018 Korlia |
| 2019-03-05
⋅
Accenture
⋅
MUDCARP's Focus on Submarine Technologies 8.t Dropper APT40 |
| 2019-01-03
⋅
⋅
Another malicious document with CVE-2017–11882 8.t Dropper |
| 2018-11-03
⋅
⋅
Là 1937CN hay OceanLotus hay Lazarus … 8.t Dropper |
| 2018-07-31
⋅
Medium Sebdraven
⋅
Malicious document targets Vietnamese officials 8.t Dropper |
| 2018-07-31
⋅
Medium Sebdraven
⋅
Malicious document targets Vietnamese officials 8.t Dropper PlugX 1937CN |
| 2018-07-31
⋅
Palo Alto Networks Unit 42
⋅
Bisonal Malware Used in Attacks Against Russia and South Korea Korlia |
| 2018-05-15
⋅
BSides Detroit
⋅
IR in Heterogeneous Environment Korlia Poison Ivy |
| 2017-08-15
⋅
Kaspersky Labs
⋅
ShadowPad in corporate networks ShadowPad |
| 2017-04-21
⋅
The Wall Street Journal
⋅
China Hacked South Korea Over Missile Defense, U.S. Firm Says Tonto Team |
| 2017-04-21
⋅
The Wall Street Journal
⋅
China Hacked South Korea Over Missile Defense, U.S. Firm Says Tonto Team |
| 2017-04-21
⋅
Ars Technica
⋅
Researchers claim China trying to hack South Korea missile defense efforts Tonto Team |
| 2014-11-25
⋅
Adventures in Security
⋅
Curious Korlia Korlia |
| 2014-02-24
⋅
RSA Conference
⋅
The Art of Attribution Identifying and Pursuing your Cyber Adversaries ANDROMEDA SPIDER APT19 DEXTOROUS SPIDER Ghost Jackal Silent Chollima SINGING SPIDER Tonto Team TOXIC PANDA UNION SPIDER |
| 2013-01-01
⋅
FireEye
⋅
APTs By The Dozen: Dissecting Advanced Attacks Korlia |