ToddyCat

  • First known sample

    2020

  • Discovery

    2022

  • Number of targets

    1-100

  • Current status

    Сonsidered active

  • Type

    APT

  • Targeted platforms

    Windows

  • TOP targeted countries

    Afghanistan , India , Indonesia , Iran , Kyrgyzstan , Malaysia , Nepal , Pakistan , Russia , Taiwan , Thailand , The United Kingdom , Uzbekistan , Vietnam
TODDYCAT

More about the ToddyCat group, its tactics, techniques, procedures and tools

Learn more

  • The way of propagation

    Exploits , Social engineering

  • Purpose/Functions

    Cyberespionage

  • Targets

    Government entities , Military
  • Implant

    Samurai, ChinaChopper and Ninja post exploitation toolkit

  • Description

    ToddyCat is a relatively new sophisticated APT group, the activity of which was first detected by Kaspersky researchers in December 2020 when it carried out a number of attacks on the targets’ Microsoft Exchange servers. In February-March 2021, Kaspersky observed a quick escalation as ToddyCat started to abuse the ProxyLogon vulnerability on Microsoft Exchange Servers to compromise multiple organizations across Europe and Asia. Starting from September 2021 the group shifted its attention to desktop machines related to government and diplomatic entities in Asia. The group constantly updates its arsenal and continued to perform attacks in 2022.

    APT ToddyCat

© 2024 AO Kaspersky Lab. All Rights Reserved. Privacy Policy Cookies
  1. Adding detection for known modules
  2. Collecting samples
  3. Reversing the samples
  4. Decrypting sophisticated encryption and compression schemes
  5. Understanding lateral movement
  6. Outlining multiple attack stages in the correct order
  7. Mapping C&C infrastructure
  8. Setting up sinkholes
  9. Analyzing collected traffic and communication protocols
  10. Crawling other hosts that understand the same protocol
  11. Taking down and acquiring images of C&C servers
  12. Identifying victims, sending out notifications to victims and global CERTs
  13. Applying forensic analysis and extracting logs, stolen files, other components
  14. Collecting and analyzing data from KSN, C&C servers, individual victims who are willing to work with us, sinkholes, crawlers, etc.
  15. Writing a comprehensive report
Read more
Mitigation is where enterprises need to start, prevention being significantly more effective and more cost-efficient than remediation after an attack Read more
For any inquiries, please contact apt.securelist@kaspersky.com If you are looking for more detailed information about an APT, please contact intelreports@kaspersky.com