Threat actor · all actors
Tonto TeamG0131 state
🇨🇳 CN
aka Tonto Team, Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Last updated: 2026-07-03
About this actor
[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2019 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2019-9489 | 5.5 | 7.5 | 0.0226 | 2019-04-05 | see CVE |
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 19 / 23 | 83% |
CM-6 | 18 / 23 | 78% |
CM-2 | 17 / 23 | 74% |
SI-3 | 16 / 23 | 70% |
CA-7 | 13 / 23 | 57% |
AC-4 | 12 / 23 | 52% |
CM-7 | 12 / 23 | 52% |
SI-2 | 12 / 23 | 52% |
SI-7 | 12 / 23 | 52% |
AC-6 | 10 / 23 | 43% |
SC-7 | 10 / 23 | 43% |
AC-2 | 9 / 23 | 39% |
AC-3 | 9 / 23 | 39% |
RA-5 | 9 / 23 | 39% |
SI-10 | 8 / 23 | 35% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
- FIN7 1 shared CVEs
Similar actors
Similar TTPs
- PLATINUM 0.31
- TA459 0.29
- Ajax Security Team 0.27
- Whitefly 0.27
- Nomadic Octopus 0.26
Active in same years
- BlackByte 2.00
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00