Cybersecurity company Group-IB claims it was repeatedly targeted in the past years by a threat actor believed to be linked to the Chinese government.
In a blog post published on Monday, Group-IB said it was targeted by the advanced persistent threat (APT) group known as Tonto Team, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut and HeartBeat.
The most recent attack was detected in June 2022, but an analysis revealed that Tonto Team also targeted the cybersecurity firm in 2021. The attack aimed at Group-IB involved emails carrying malicious attachments being sent to the company’s employees.
Tonto Team is believed to have been around since at least 2009, targeting military, diplomatic, and infrastructure entities in Asia and Eastern Europe. The cyberspies have often targeted Russian organizations, including government agencies.
Group-IB is based in Singapore, but it’s a Russian company at its heart. Last year, a few months after Russia launched its invasion of Ukraine, Group-IB announced that it would separate its Russian and international business into distinct companies.
The June 2022 attack attributed to Tonto Team was detected by Group-IB’s solutions before the malicious emails were delivered to employees. The phishing emails, written in Russian, contained malicious Office documents created with a tool named Royal Road Weaponizer, which has widely been used by Chinese state-sponsored threat actors to deliver exploits.
An analysis of the incident revealed that the hackers attempted to use the Bisonal.DoubleT backdoor, which appears to be exclusively used by Tonto Team.
The cybersecurity firm checked its logs and found evidence of another email attack likely carried out by the same Chinese group exactly one year earlier.
Group-IB also pointed out that Tonto Team was previously observed by ESET attacking an Eastern European consulting company specializing in software development and cybersecurity.
“The main goal of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose,” Group-IB said.
“Successful supply chain attacks against IT and cybersecurity companies give attackers access to a large number of victims’ customers and partners,” it added.
Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage
Related: Belgium Says Chinese APTs Targeted Interior, Defense Ministries
Related: Play Ransomware Group Claims Attack on A10 Networks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
- Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
Latest News
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
