Toddycat

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
ToddyCat is a sophisticated Advanced Persistent Threat (APT) actor, likely Chinese-speaking, that has been active since at least December 2020. It primarily operates in Asia, targeting government entities in Malaysia, Thailand, and Pakistan. In 2022, Kaspersky reported finding ToddyCat actors using two new malware tools named Samurai and Ninja to distribute China Chopper—a known commodity Web shell used in Microsoft Exchange Server attacks—on systems belonging to victims in Asia and Europe. There's speculation that ToddyCat might have targeted ProxyLogon vulnerabilities even before February 2021, but no concrete evidence has been found yet. The group employs a variety of tools to maintain persistent remote access to compromised networks, including establishing multiple tunnels using different tools. Approximately ten minutes after infection, the tool dubbed "ToddyCat Ninja" was detected on the system. Other tools include "TomBerBil," which steals passwords from Chrome and Edge browsers, "WAExp," which collects browser data from the web version of WhatsApp, and "Cuthead," which searches for files with specific extensions or words on the victim network and stores them in an archive. The group also uses a fast reverse proxy client to enable access from the Internet to servers behind a firewall or Network Address Translation (NAT) mechanism. Kaspersky's latest investigation into ToddyCat's activities shows the threat actor's tactic of securing constant access to the infrastructure, enabling them to perform reconnaissance and connect to remote hosts. This continuous monitoring of the APT group ToddyCat reveals their ongoing commitment to evolving their techniques and maintaining their malicious activity. Their advanced capabilities, coupled with their persistent approach, make them a significant threat to cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Toddycat Apt
1
The ToddyCat APT (Advanced Persistent Threat) is a threat actor group that conducts espionage by infiltrating networks with loaders and Trojans. This group utilizes a variety of tools, including standard loaders, tailored loader, Ninja LoFiSe, DropBox uploader, Pcexter, Passive UDP backdoor, and Cob
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Espionage
Exploit
Backdoor
Trojan
Loader
Payload
Tool
Asia
Chinese
Web Shell
Proxy
Government
Phishing
Lateral Move...
Reconnaissance
Whatsapp
Asian
Chrome
Checkpoint
Kaspersky
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Curkeephas used
1
CurKeep is a malware that was first discovered in 2021 as part of an espionage campaign known as "Stayin' Alive". This campaign targeted the telecommunications industry and governments in Vietnam, Uzbekistan, and Kazakhstan. The attack chain began with a spear-phishing email containing a ZIP file at
ShellbotUnspecified
1
ShellBot is a malicious software (malware) that has been targeting poorly managed Linux SSH servers. The malware, which was detected in multiple variants, is primarily being used to carry out distributed denial-of-service (DDoS) attacks. ShellBot exploits the Cacti bug and uses it as a primary lever
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
Cobaltstrikehas used
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxylogonUnspecified
1
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
CVE-2022-23748Unspecified
1
CVE-2022-23748 is a software vulnerability, specifically a flaw in the design or implementation of Audinate's Dante Discovery software. This vulnerability allows for malicious exploitation via DLL side-loading schemes, where the affected software, due to its flawed design, loads and executes a malic
Source Document References
Information about the Toddycat Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securelist
2 months ago
QakBot attacks with Windows zero-day (CVE-2024-30051)
Securelist
2 months ago
2023 Kaspersky Incident Response report
DARKReading
3 months ago
ToddyCat APT Is Stealing Data on 'Industrial Scale'
Securelist
3 months ago
ToddyCat’s traffic tunneling and data extraction tools
CERT-EU
9 months ago
‘Stayin’ Alive’ cyber espionage campaign targets telecoms, governments in Asia
CERT-EU
a year ago
APT trends report Q2 2023 – GIXtools
CERT-EU
9 months ago
Cyber Security Week in Review: October 13, 2023
Securelist
9 months ago
ToddyCat: Keep calm and check logs
CERT-EU
9 months ago
Researchers Uncover Ongoing Attacks Targeting Asian Governments and Telecom Giants
CERT-EU
9 months ago
Water cybersecurity regulations withdrawn
CERT-EU
9 months ago
Chinese ‘Stayin’ Alive’ Attacks Dance Onto Targets With Dumb Malware
InfoSecurity-magazine
8 months ago
Signature Techniques of Asian APT Groups Revealed
CERT-EU
9 months ago
Les dernières cyberattaques (24 octobre 2023)
InfoSecurity-magazine
9 months ago
QuasarRAT Deploys Advanced DLL Side-Loading Technique
Securityaffairs
9 months ago
Security Affairs newsletter Round 442 by Pierluigi Paganini
Securelist
9 months ago
Updated MATA attacks industrial companies in Eastern Europe
CERT-EU
9 months ago
Novel RomCom RAT variant used in attacks against female political leaders
Securityaffairs
9 months ago
Security Affairs newsletter Round 441 by Pierluigi Paganini
CERT-EU
9 months ago
Guardians of the Hackers Galaxy: Unlock the tool of ToddyCat’s Group
CERT-EU
9 months ago
SeroXen RAT distributed via malicious NuGet package