Tonto Team is a suspected PLA-affiliated Chinese cyber espionage group. Reporting in the provided content states that suspected PLA groups such as Tonto Team, Tick, Naikon, and RedFoxtrot remain prominent in the Chinese cyber espionage sphere. The group has been reported to concentrate targeting on Russia, South Korea, and Japan, and may also be linked to activity involving Mongolia and Vietnam in some reporting. Researchers cited in the content believe Bisonal attacks were performed by Tonto Team, while other reporting argues that overlaps in tooling, infrastructure, and targeting suggest some Bisonal activity may instead be linked to Winnti/APT41; this linkage is contested in the provided material and should be treated cautiously. The content states that Tonto Team has delivered payloads via spearphishing attachments and has routed traffic through an external server to obfuscate its location. It also notes reporting that TA428 shared the Royal Road RTF weaponizer with Tick and Tonto Team. ATT&CK technique references associated with Tonto Team in the provided material include exploitation for privilege escalation (T1068), PowerShell execution (T1059.001), malicious file execution (T1204.002), exploit public-facing application (T1190), Windows service persistence (T1543.003), web shell persistence (T1505.003), command and scripting interpreter use (T1059), and use of PowerShell to gather LAPS passwords. Known alias in the provided content: Tonto Team.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named threat actor referenced in retrospective threat reporting.
Referenced in the detection annotations as a threat actor associated with exploitation for privilege escalation activity.
Listed as a threat actor associated with PowerShell execution behavior relevant to this detection.
Listed in the analytic annotations as a threat actor associated with exploitation for privilege escalation.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.