← threatfilter.dev / all groups / ToddyCat
ToddyCat
Overview
ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.
Targets
Government · Military
Regions
Afghanistan · India · Indonesia · Iran · Kyrgyzstan · Malaysia · Pakistan · Russia · Slovakia · Taiwan · Thailand · United Kingdom · Uzbekistan · Vietnam
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 6 attributed custom malware families
TTPs — 25 techniques across 9 tactics
Initial Access
-
T1190Exploit Public-Facing Application -
T1566.003Spearphishing via Service
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1106Native API
Stealth
-
T1036.005Match Legitimate Resource Name or Location -
T1078.002Domain Accounts -
T1564.003Hidden Window
Defense Impairment
Discovery
-
T1018Remote System Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1069.002Domain Groups -
T1083File and Directory Discovery -
T1087.002Domain Account -
T1518.001Security Software Discovery -
T1680Local Storage Discovery
Lateral Movement
-
T1021.002SMB/Windows Admin Shares
Collection
-
T1005Data from Local System -
T1074.002Remote Data Staging -
T1560.001Archive via Utility
Command and Control
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Tools & malware (9)
Cobalt Strike · LoFiSe · China Chopper · netstat · Ping · Pcexter · Net · Samurai · Ninja
Reporting (2)
- ToddyCat: Keep calm and check logs — Dedola, G. et al
- APT ToddyCat — Dedola, G