Skip to main content
Mallory
Back to threat actors
China🇨🇳 CN10 malware familiesExploits CVEs in the wild

Tonto Team

Also known asBRONZE HUNTLEYCactusPeteCopper TyphoonEarth AkhlutKarma PandaSharp-Rtag_74Tonto Team

Tonto Team is a Chinese-linked cyber-espionage threat actor also known as CactusPete, Karma Panda, BRONZE HUNTLEY, COPPER TYPHOON, Earth Akhlut, SharpR, and TAG-74. The content states that CactusPete is a Chinese-speaking cyber-espionage group and that researchers connected Tonto Team to China. The group has been publicly known since at least 2013. According to the content, Tonto Team has targeted organizations in Eastern Europe, including compromising the email servers of a procurement company and a consulting company specialized in software development and cybersecurity. Separate reporting in the content links ShadowPad activity associated with BRONZE HUNTLEY to targets in South Korea, Russia, Japan, and Mongolia. The group has delivered payloads via spearphishing attachments and relied on user interaction to open malicious RTF documents. The content also states that Tonto Team has used PowerShell to download additional payloads, abused a legitimate and signed Microsoft executable to launch a malicious DLL, and exploited CVE-2019-0803 and MS16-032 for privilege escalation. Bisonal is described as a remote access trojan that is part of the Tonto Team arsenal. The content also links Tonto Team/CactusPete to ShadowPad-related activity, including references to a strong connection between recent ShadowPad samples and the CactusPete threat actor. ShadowPad is noted in the content as malware shared among multiple Chinese threat actors, including CactusPete/Tonto Team.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇰🇷 South Korea
  • 🇷🇺 Russia
  • 🇯🇵 Japan
  • 🇲🇳 Mongolia

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics58 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1608×2
Stage Capabilities
TA0001
Initial Access
3 techniques
T1190×3
Exploit Public-Facing Application
T1195
Supply Chain Compromise
T1566
Phishing
T1566.001×14
Spearphishing Attachment
T1566.002×3
Spearphishing Link
TA0002
Execution
5 techniques
T1059×2
Command and Scripting Interpreter
T1059.001×13
PowerShell
T1059.005
Visual Basic
T1129×2
Shared Modules
T1203×3
Exploitation for Client Execution
T1204
User Execution
T1204.002×8
Malicious File
T1574
Hijack Execution Flow
T1574.001×3
DLL
TA0003
Persistence
3 techniques
T1137
Office Application Startup
T1137.001
Office Template Macros
T1505
Server Software Component
T1505.003×3
Web Shell
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
2 techniques
T1068×6
Exploitation for Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
5 techniques
T1027
Obfuscated Files or Information
T1027.005
Indicator Removal from Tools
T1218
System Binary Proxy Execution
T1218.001
Compiled HTML File
T1480
Execution Guardrails
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1574
Hijack Execution Flow
T1574.001×3
DLL
TA0006
Credential Access
2 techniques
T1003×2
OS Credential Dumping
T1552
Unsecured Credentials
TA0007
Discovery
6 techniques
T1012
Query Registry
T1069
Permission Groups Discovery
T1069.001×2
Local Groups
T1087
Account Discovery
T1087.001
Local Account
T1087.002
Domain Account
T1135×3
Network Share Discovery
T1482
Domain Trust Discovery
T1518
Software Discovery
T1518.001
Security Software Discovery
TA0008
Lateral Movement
1 technique
T1210
Exploitation of Remote Services
TA0009
Collection
1 technique
T1039
Data from Network Shared Drive
TA0011
Command and Control
5 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1090
Proxy
T1090.003
Multi-hop Proxy
T1105×3
Ingress Tool Transfer
T1132
Data Encoding
T1132.001
Standard Encoding
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
T1573.002
Asymmetric Cryptography
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ShadowPadThe ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017.5May 26, 2026
BisonalOn one of the IP addresses on ShadowPad infrastructure, we found domains used in Bisonal RAT attacks in 2015–2020.4May 26, 2026
DoubleT“September and October 2019: a DoubleT backdoor campaign, targeting military-related and unknown victims; … December 2019 to April 2020: a modified DoubleT backdoor campaign…”2Mar 18, 2026
Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026
Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.1May 6, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

13 CVEs this actor has used in observed campaigns. 13 of them exploited in the wild.

CVE-2018-0798Microsoft Office Equation Editor Memory Corruption RCEIn the wildEvidence3

In 2019, the actor behind Bisonal used a new way to deploy the machine on the target's systems. They sent a malicious RTF document to the targets with an exploit targeting the CVE-2018-0798 (Microsoft's Equation Editor vulnerability). The purpose of the shellcode was not to execute the malware (as it is usual) but simply to drop it in the %APPDATA%\microsoft\word\startup\ repository with the .wll extension.

CVE-2018-8174Windows VBScript Engine Remote Code Execution VulnerabilityIn the wildEvidence3

May 2018: a new wave of targeted attacks abusing CVE-2018-8174 (this exploit has been associated with the DarkHotel APT group, as described on Securelist), with diplomatic, defense, manufacturing, military and government targets in Asia and Eastern Europe;

CVE-2017-11882Microsoft Office Equation Editor Remote Code ExecutionIn the wildEvidence2

...has exploited Office vulnerabilities such as CVE-2017-11882...

CVE-2018-0802Microsoft Office Equation Editor Memory Corruption RCEIn the wildEvidence2

...has exploited Microsoft Office vulnerabilities... CVE-2018-0802.

CVE-2019-0803Win32k Elevation of Privilege VulnerabilityIn the wildEvidence2

Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.

8 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

81 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

81 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
May 3, 2026
Detection: Linux Auditd Copy Fail Privilege Escalation | Splunk Security Content

Listed in the detection annotations as a threat actor associated with exploitation for privilege escalation.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Potato Privilege Escalation Tool Execution | Splunk Security Content

Referenced as a threat actor associated with exploitation for privilege escalation, specifically the use of Windows Potato-family privilege escalation tools.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows MSI Rollback Script Deleted By Non-Msiexec Process | Splunk Security Content

Listed in the detection annotations as a threat actor associated with MSI-based privilege escalation and Msiexec abuse techniques.

Read more
+74 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping42

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs13

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables81

Domains, IPs, and hashes tied to this actor, refreshed continuously.