Toddycat

ToddyCat is a threat actor, or malicious entity, known for executing actions with harmful intent. This group predominantly targets government organizations in the Asia-Pacific region to exfiltrate sensitive data. In April, ToddyCat was discovered utilizing SoftEther VPN to steal data on an "industrial scale" from governmental and defense targets within this region. Notably, it has also been observed that these tactics have now extended to Europe. The tools employed by ToddyCat include various means of data collection and extraction, as detailed in previous reports. Furthermore, ToddyCat Ninja, a specific tool linked to the group, was detected on a system approximately 10 minutes post-infection. The methods used by ToddyCat are multifaceted. One such method includes tunneling to legitimate cloud providers; this is achieved by running an application on the user's host with access to the local infrastructure that can connect to the cloud through a legitimate agent and redirect traffic or execute specific commands. While there are similarities between the Tactics, Techniques, and Procedures (TTP) used by ToddyCat and other Advanced Persistent Threat (APT) attacks, solid attribution to this group remains elusive. In addition to its operations in the Asia-Pacific region, ToddyCat has been linked with other threat groups targeting different regions and demographics. For instance, the China-linked Evasive Panda group has targeted Tibetan nationals in India and the United States, while ToddyCat has targeted groups in Vietnam and Taiwan. Despite the lack of standardized naming conventions in the cybersecurity industry, ToddyCat continues to be closely monitored due to its extensive and varied activities.