Group-IB has confirmed that it detected and blocked an email carrying a malicious attachment sent by the Chinese threat actor Tonto Team. The phishing attack was successfully mitigated in June 2022 and disclosed by the cybersecurity company earlier this week. The statement explains who the threat actors behind the attack leverage phishing emails to deliver Microsoft Office documents crafted with the Royal Road Weaponizer. This tool is associated with Chinese nation-state threat actors, Group-IB says.
Additionally, Group-IB researchers noticed the use of the Bisonal.DoubleT backdoor, a tool that is unique to the Tonto Team APT. This allowed the security researchers to attribute the attack to Tonto Team, which is known to target government, military, energy, financial, educational, healthcare, and technology sector entities for the past decade. The group initially focused its attacks on Asia Pacific and the United States, but has expanded its operations into Eastern Europe over the past few years.