Tonto Teams Failed Attempt To Compromise Group IB


  • ransom-4


Activity attributed to the Chinese espionage group the Tonto Team has targeted various strategic sectors including healthcare government financial education military energy and Information technology since at least 2009.

In a recent campaign the threat group targeted the security firm Group IB by sending weaponized attachments to employees.

Masquerading as employees of legitimate organizations the Tonto team used fake email ID created with GMX Mail.

The malicious attachments were created with the Royal Road weaponizer which can create documents that attempt to exploit CVEs related to the MS Equation Editor vulnerabilities.

The campaign further used the Bisonal DoubleT backdoor as well as the TontoTeam.Downloader (akaQuickMute) to obtain the threat actors objective which included collecting GroupIB intellectual property.

SkyWatchSM Alert Legend

  • small-bell


  • active-threat0-lt-green

    Active Threat

  • malware-lt-green


  • ransome-lt-green


  • warning-green


  • file-green


Glesec Information Sharing Protocol

GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).

  • TLP-White

    Disclosure is Not Limited.

  • TLP-Green

    Limited Disclosure, Restricted Only to the Community.

  • TLP-Amber

    Limited Disclosure, restricted to the Participant's Organization.

  • TLP-Red

    Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.

Discover Glesec.

Authority. Consistency.

Sign-up today for SkywatchSM Alerts.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.