Malware Profile Updated 3 months ago
Download STIX
Preview STIX
ToddlerShark is a new variant of malware that has been linked to the North Korean threat group Kimsuky, also known as APT43, Emerald Sleet, and Velvet Chollima. The malware was named ToddlerShark by researchers at Kroll due to its resemblance to BabyShark, another malware used by the same hacking group. This new strain exploits recently disclosed vulnerabilities in ScreenConnect applications, which have also been targeted by other threat groups using different types of malware such as Play and LockBit ransomware. The primary function of ToddlerShark is data theft; it collects host, user, network, and security software information, along with details about installed software and running processes. After gathering this data, ToddlerShark uses the built-in Windows command certutil to encode the stolen information in a Privacy Enhanced Mail (PEM) certificate, which is then exfiltrated to the Command and Control (C2) web application. The malware exhibits polymorphic behavior, changing identity strings in code and generating junk code to alter the position of the code, making it difficult to detect in some environments. Kroll's research team identified an attempted compromise exhibiting Kimsuky’s hallmarks, which was detected and stopped by the Kroll Responder team. The post-exploitation phase of this attack included the deployment of the ToddlerShark malware, leveraging a second vulnerability in ScreenConnect applications. Given these findings, patching ScreenConnect applications is imperative to prevent further exploitation by ToddlerShark or other similar malware strains.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p
ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Velvet ChollimaUnspecified
Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intellige
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Toddlershark Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
5 months ago
North Korea’s Kimsuky gang joins rush to exploit new ScreenConnect bugs
5 months ago
Cyber Security Today, March 6, 2024 – VMware and Apple rush out security updates, a new ScreenConnect malware is found, and more | IT World Canada News
4 months ago
Multiple Vulnerabilities Found In ConnectWise ScreenConnect | Zscaler