Bisonal RAT / Tonto Team (also known as Tonto Team, CactusPete, Earth Akhlut) is a state-sponsored advanced persistent threat group attributed to China, active since 2009. The group primarily targets military, government, diplomatic entities in East Asia sectors. It is tracked by MITRE ATT&CK as S0268.
Overview & Attribution
Long-running Chinese APT using the custom Bisonal RAT to target military and government organizations across East Asia and Eastern Europe.
Bisonal RAT has been active since 2009, attributed to China. The group is known for targeting military, government, diplomatic entities in East Asia using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: China
- Active since: 2009
- Primary targets: military, government, diplomatic entities in East Asia
- Also known as: Tonto Team, CactusPete, Earth Akhlut
Arsenal & Tools
Bisonal RAT employs a diverse arsenal of custom and shared tooling:
- Bisonal RAT: Custom/shared tooling used in operations
- Dexbia: Custom/shared tooling used in operations
- ShadowPad: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on military, government, diplomatic entities in East Asia sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
Bisonal RAT is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Spearphishing with malicious docs |
| Execution | T1204.002 Malicious File | User opens weaponized document |
| Persistence | T1547.001 Registry Run Keys | Registry persistence |
| Collection | T1056.001 Keylogging | Keystroke capture |
| Discovery | T1082 System Info Discovery | Host profiling |
| C2 | T1071.001 Web Protocols | HTTP-based C2 |
Notable Campaigns
Bisonal RAT has been linked to multiple significant campaigns targeting military, government, diplomatic entities in East Asia organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known Bisonal RAT IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with Bisonal RAT and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known Bisonal RAT TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against Bisonal RAT
Mjolnir Security provides specialized capabilities to detect and respond to Bisonal RAT operations.
- APT Threat Hunting Proactive hunting for Bisonal RAT TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Bisonal RAT campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts