ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Tonto Team, HartBeat, Karma Panda

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Tonto Team, HartBeat, Karma Panda

NamesTonto Team (FireEye)
HeartBeat (Trend Micro)
Karma Panda (CrowdStrike)
CactusPete (Kaspersky)
Bronze Huntley (SecureWorks)
Earth Akhlut (Trend Micro)
LoneRanger (?)
TAG-74 (Recorded Future)
CountryChina China
SponsorState-sponsored, Shenyang Military Region Technical Reconnaissance Bureau, possibly Unit 65017
MotivationInformation theft and espionage
First seen2009
Description(Trend Micro) The first HeartBeat campaign remote access tool (RAT) component was discovered in June 2012 in a Korean newspaper company network. Further investigation revealed that the campaign has been actively distributing their RAT component to their targets in 2011 and the first half of 2012. Furthermore, we uncovered one malware component that dates back to November 2009. This indicates that the campaign started during that time or earlier.

The HeartBeat campaign appears to target government organizations and institutions or communities that are in some way related to the South Korean government. Specifically, we were able to identify the following targets:

• Political parties
• Media outfits
• A national policy research institute
• A military branch of South Korean armed forces
• A small business sector organization
• Branches of South Korean government

The profile of their targets suggests that the motive behind the campaign may be politically motivated.

(Kaspersky) The actor has quite likely relied on much the same codebase and implant variants for the past six years. However these have broadened substantially since 2018. The group spear-phishes its targets, deploys Word and Equation Editor exploits and an appropriated/repackaged DarkHotel VBScript zero-day, delivers modified and compiled unique Mimikatz variants, GSEC and WCE credential stealers, a keylogger, various Escalation of Privilege exploits, various older utilities and an updated set of backdoors, and what appear to be new variants of custom downloader and backdoor modules.
ObservedSectors: Defense, Financial, Government, IT, Media.
Countries: India, Japan, Mongolia, Russia, South Korea, Taiwan, USA and Eastern Europe.
Tools used8.t Dropper, Bioazih, Bisonal, Dexbia, DoubleT, Flapjack, Mimikatz, ShadowPad Winnti, Living off the Land.
Operations performedNov 2009Operation “Bitter Biscuit”
Feb 2017FireEye's director of cyber-espionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests.
Mar 2019CactusPete APT group’s updated Bisonal backdoor
The backdoor was used to target financial and military organizations in Eastern Europe
Late 2019At the end of 2019 the group seemed to shift towards a heavier focus on Mongolian and Russian organizations.
Dec 2019In this campaign, the CactusPete threat actor used a new method to drop an updated version of the DoubleT backdoor onto the computers.
2020Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities
Mar 2021Exchange servers under siege from at least 10 APT groups
Jun 2022Nice Try Tonto Team
Apr 2023Tonto Team Using Anti-Malware Related Files for DLL Side-Loading

Last change to this card: 12 October 2023

Download this actor card in PDF or JSON format

Previous: Tomiris
Next: Tortilla

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]