Researchers Unveil ToddyCat’s New Set of Tools for Data Exfiltration


Oct 13, 2023NewsroomAPT / Malware

The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew’s tactics and capabilities.

The findings come from Kaspersky, which first shed light on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years.

While the group’s arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime.

This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDrive.

ToddyCat has also been observed utilizing custom scripts for data collection, a passive backdoor that receives commands with UDP packets, Cobalt Strike for post-exploitation, and compromised domain admin credentials to facilitate lateral movement to pursue its espionage activities.


“We observed script variants designed solely to collect data and copy files to specific folders, but without including them in compressed archives,” Kaspersky said.

“In these cases, the actor executed the script on the remote host using the standard remote task execution technique. The collected files were then manually transferred to the exfiltration host using the xcopy utility and finally compressed using the 7z binary.”

The disclosure comes as Check Point revealed that government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 using a wide variety of “disposable” malware to evade detection and deliver next-stage malware.

The activity, per the cybersecurity firm, relies on infrastructure that overlaps with that used by ToddyCat.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites
Palo Alto Networks Warns About Critical Zero-Day in PAN-OS
Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing
Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks
Over 90,000 D-Link NAS Devices Are Under Attack

Leave a Reply

Your email address will not be published. Required fields are marked *