███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

Tonto Team

loader2 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

Tonto Team

CATEGORY:

LOADER

DESCRIPTION:

Tonto Team is a sophisticated loader malware used by a threat group known by multiple aliases including HeartBeat, Karma Panda, CactusPete, Bronze Huntley, and Earth Akhlut. The malware is designed to download and execute additional payloads on compromised systems and has been observed in various targeted attack campaigns.

ALIASES:

TontoTeam

TAGS:

payload_deliverymulti_stagetargeted_attackaptpersistence

[MUTEX_SIGNATURES](2)

[MUTEX_01]

{A931568B-94AF-449D-B7F6-6585EF9E9839}

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://www.f6.ru/blog/tonto-team/

[MUTEX_02]

QuitMutex<pid>

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://www.group-ib.com/blog/tonto-team/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Tonto Team

⚠HeartBeat

⚠Karma Panda

⚠CactusPete

⚠Bronze Huntley

⚠Earth Akhlut

FIRST_OBSERVED:

2018

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:2

THREAT_ACTORS:6

ALIASES:1

TAGS:5

CATEGORY:LOADER

Malware profile loaded successfully