Security Experts:

Connect with us

Hi, what are you looking for?



Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT

Cybersecurity company Group-IB claims it was repeatedly targeted by a Chinese APT called Tonto Team, CactusPete, and Karma Panda.

Cybersecurity company Group-IB claims it was repeatedly targeted in the past years by a threat actor believed to be linked to the Chinese government.

In a blog post published on Monday, Group-IB said it was targeted by the advanced persistent threat (APT) group known as Tonto Team, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut and HeartBeat. 

The most recent attack was detected in June 2022, but an analysis revealed that Tonto Team also targeted the cybersecurity firm in 2021. The attack aimed at Group-IB involved emails carrying malicious attachments being sent to the company’s employees.

Tonto Team is believed to have been around since at least 2009, targeting military, diplomatic, and infrastructure entities in Asia and Eastern Europe. The cyberspies have often targeted Russian organizations, including government agencies.

Group-IB is based in Singapore, but it’s a Russian company at its heart. Last year, a few months after Russia launched its invasion of Ukraine, Group-IB announced that it would separate its Russian and international business into distinct companies. 

The June 2022 attack attributed to Tonto Team was detected by Group-IB’s solutions before the malicious emails were delivered to employees. The phishing emails, written in Russian, contained malicious Office documents created with a tool named Royal Road Weaponizer, which has widely been used by Chinese state-sponsored threat actors to deliver exploits.

An analysis of the incident revealed that the hackers attempted to use the Bisonal.DoubleT backdoor, which appears to be exclusively used by Tonto Team. 

The cybersecurity firm checked its logs and found evidence of another email attack likely carried out by the same Chinese group exactly one year earlier. 

Group-IB also pointed out that Tonto Team was previously observed by ESET attacking an Eastern European consulting company specializing in software development and cybersecurity. 

“The main goal of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose,” Group-IB said.

“Successful supply chain attacks against IT and cybersecurity companies give attackers access to a large number of victims’ customers and partners,” it added.

Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

Related: Belgium Says Chinese APTs Targeted Interior, Defense Ministries

Related: Play Ransomware Group Claims Attack on A10 Networks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...