TLP-GREEN
Activity attributed to the Chinese espionage group the Tonto Team has targeted various strategic sectors including healthcare government financial education military energy and Information technology since at least 2009.
In a recent campaign the threat group targeted the security firm Group IB by sending weaponized attachments to employees.
Masquerading as employees of legitimate organizations the Tonto team used fake email ID created with GMX Mail.
The malicious attachments were created with the Royal Road weaponizer which can create documents that attempt to exploit CVEs related to the MS Equation Editor vulnerabilities.
The campaign further used the Bisonal DoubleT backdoor as well as the TontoTeam.Downloader (akaQuickMute) to obtain the threat actors objective which included collecting GroupIB intellectual property.
SkyWatchSM Alert Legend
Warning
Active Threat
Malware
Ransomware
Phishing
Network/IOT
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
TLP-White
Disclosure is Not Limited.
TLP-Green
Limited Disclosure, Restricted Only to the Community.
TLP-Amber
Limited Disclosure, restricted to the Participant's Organization.
TLP-Red
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.
Discover Glesec.
Authority. Consistency.
Sign-up today for SkywatchSM Alerts.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.