From 5194939603e3deec66128c3d62a86bad354c49e2 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Tue, 6 Feb 2024 07:30:06 -0800
Subject: [PATCH] [threat-actors] Add Tonto Team aliases

---
 clusters/threat-actor.json | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 78ac9c3..5b50671 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5162,6 +5162,7 @@
       "value": "Cyber Berkut"
     },
     {
+      "description": "Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.",
       "meta": {
         "attribution-confidence": "50",
         "cfr-suspected-state-sponsor": "China",
@@ -5185,7 +5186,11 @@
           "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403",
           "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
           "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
-          "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
+          "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
+          "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html",
+          "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/",
+          "https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf",
+          "https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities"
         ],
         "synonyms": [
           "CactusPete",
@@ -5194,7 +5199,9 @@
           "COPPER",
           "Red Beifang",
           "G0131",
-          "PLA Unit 65017"
+          "PLA Unit 65017",
+          "Earth Akhlut",
+          "TAG-74"
         ]
       },
       "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",