Tonto Team fails to compromise Group-IB.
N2K logoFeb 14, 2023

The security firm thwarted the phishing attacks.

Tonto Team fails to compromise Group-IB.

Group-IB says its employees were targeted by a phishing campaign launched by the suspected Chinese threat actor Tonto Team.

Emails were designed to deliver the Bisonal RAT.

During the summer of 2022, Group-IB employees received phishing emails with malicious Office documents crafted with the Royal Road weaponizer, which is often used by Chinese state-sponsored actors. The emails were meant to deliver Bisonal.DoubleT, a strain of malware exclusively used by the Tonto Team. Group-IB’s security solution flagged the emails as malicious.

During their investigation, the security firm found that it was targeted by the Tonto Team in 2021 as well. These attacks were also unsuccessful.

Threat actor was likely attempting to conduct espionage.

The researchers note that most Chinese state-sponsored threat actors are focused on conducting espionage or surveillance:

“Group-IB experts have previously warned about threats from TaskMasters and TA428, other Chinese nation-state cyber threat actors. Based on the conducted analysis, the company’s Threat Intelligence team concluded that Tonto Team is behind the 2021-2022 attempted attacks on Group-IB.

“The main goal[s] of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose.”