Activity attributed to the Chinese espionage group the Tonto Team has targeted various strategic sectors including healthcare government financial education military energy and Information technology since at least 2009.
In a recent campaign the threat group targeted the security firm Group IB by sending weaponized attachments to employees.
Masquerading as employees of legitimate organizations the Tonto team used fake email ID created with GMX Mail.
The malicious attachments were created with the Royal Road weaponizer which can create documents that attempt to exploit CVEs related to the MS Equation Editor vulnerabilities.
The campaign further used the Bisonal DoubleT backdoor as well as the TontoTeam.Downloader (akaQuickMute) to obtain the threat actors objective which included collecting GroupIB intellectual property.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.