Toddycat Apt

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
The ToddyCat APT (Advanced Persistent Threat) is a threat actor group that conducts espionage by infiltrating networks with loaders and Trojans. This group utilizes a variety of tools, including standard loaders, tailored loader, Ninja LoFiSe, DropBox uploader, Pcexter, Passive UDP backdoor, and CobaltStrike. The cybersecurity industry has noted the unique naming conventions used for these tools, which are part of the group's modus operandi. The hackers behind this group are known to actively exploit vulnerable Microsoft Exchange servers, indicating their advanced technical capabilities. On October 12th, Kaspersky published an update on its tracking of the ToddyCat APT, revealing new attack methods and payloads discovered by its analysts. These newly identified techniques include the use of a new toolset, data theft malware, and lateral movement techniques within compromised networks. Such advancements underline the evolving nature of the threat posed by ToddyCat APT, making it increasingly challenging for cybersecurity teams to counteract their activities effectively. The ToddyCat APT's operations mainly focus on espionage, as affirmed by researchers. They have been observed stealing sensitive data, moving laterally across networks to access and compromise more systems, and conducting other covert operations. Their continuous exploitation of vulnerabilities in popular software like Microsoft Exchange servers highlights the need for organizations to prioritize patch management and proactive defense strategies. As ToddyCat APT continues to evolve and adapt its tactics, so too must the cybersecurity community in order to effectively mitigate the risks associated with this threat actor.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Toddycat
1
ToddyCat is a sophisticated Advanced Persistent Threat (APT) actor, likely Chinese-speaking, that has been active since at least December 2020. It primarily operates in Asia, targeting government entities in Malaysia, Thailand, and Pakistan. In 2022, Kaspersky reported finding ToddyCat actors using
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Lateral Move...
Loader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Toddycat Apt Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
ToddyCat APT Hackers Exploiting Vulnerable Microsoft Exchange Servers
CERT-EU
9 months ago
ToddyCat hackers use 'disposable' malware to target Asian telecoms