Introduction
ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia. Kaspersky ToddyCat June 2022 Kaspersky ToddyCat Check Logs October 2023
Activities and Tactics
Targeted Sectors: Military, Government
Country of Origin: π¨π³ China
Suspected Victims: Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Taiwanβ¦
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1686 Disable or Modify System Firewall
- T1005 Data from Local System
- T1069.002 Domain Groups
- T1053.005 Scheduled Task
- T1566.003 Spearphishing via Service
- T1087.002 Domain Account
- T1095 Non-Application Layer Protocol
- T1078.002 Domain Accounts
- T1106 Native API
- T1057 Process Discovery
- T1018 Remote System Discovery
- T1049 System Network Connections Discovery
- T1021.002 SMB/Windows Admin Shares
- T1059.003 Windows Command Shell
- T1190 Exploit Public-Facing Application
- T1567.002 Exfiltration to Cloud Storage
- T1518.001 Security Software Discovery
- T1059.001 PowerShell
- T1564.003 Hidden Window
- T1083 File and Directory Discovery
- T1074.002 Remote Data Staging
- T1047 Windows Management Instrumentation
- T1036.005 Match Legitimate Resource Name or Location
- T1680 Local Storage Discovery
- T1560.001 Archive via Utility
ATT&CK technique IDs (denormalized)
- T1005
- T1018
- T1021.002
- T1036.005
- T1047
- T1049
- T1053.005
- T1057
- T1059.001
- T1059.003
- T1069.002
- T1074.002
- T1078.002
- T1083
- T1087.002
- T1095
- T1106
- T1190
- T1518.001
- T1560.001
- T1564.003
- T1566.003
- T1567.002
- T1680
- T1686
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- Trojan.Karagany
- Unknown Logger
- Trojan.Mebromi
MITRE ATT&CK Software
- Cobalt Strike (S0154) β malware
- LoFiSe (S1101) β malware
- China Chopper (S0020) β malware
- netstat (S0104) β tool
- Ping (S0097) β tool
- Pcexter (S1102) β malware
- Net (S0039) β tool
- Samurai (S1099) β malware
- Ninja (S1100) β malware
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [2] Kaspersky ToddyCat June 2022 Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. [3] Kaspersky ToddyCat Check Logs October 2023 Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.