Tonto is an advanced threat actor likely based in Asia that has been operating for over a decade. It has been targeting mainly East Asian government organizations and worldwide companies in different sensitive industries, including energy, transportation, and mining.

As an infection vector, the group sends spear-phishing emails with malicious attachments created with the help of the infamous 'Royal Road' RTF exploitation toolkit, which is known to be shared by different threat actors. The group also uses phishing websites to gather credentials.

After the successful exploitation of the targeted machine, the payloads they use include multiple custom backdoors, such as Bisonal and Dexbia, which are usually written using the MFC framework, and some more advanced families, such as Shadowpad, which is shared with a few other groups. Once they gain control of one host, the threat actors use a variety of custom or repackaged tools to gather credentials or elevate privileges through known Windows exploits.

Mapping and monitoring the attacker’s infrastructure allowed us to find interesting custom tools, such as a backend C&C panel for controlling infected machines. It also helped us find additional links to known threat actors. Tonto maintains at least 80 C2 servers and hundreds of domain names, proving a big operational capability.

In this presentation, we will analyse the infection vector, starting with the documents weaponized with the 'Royal Road' toolkit. The presentation will continue with the detailed analysis of the different custom as well as shared modules and malware families. We will summarize various post-exploitation tools that we noticed the threat actor using. Finally, we will share more intelligence about the attacker’s infrastructure and targets, as well as likely connections and overlaps with other known threat actors.