Skip to main content

ToddyCat, a sophisticated APT group that first attracted attention in December 2020 due to its high-profile attacks on organizations in Europe and Asia, continues to be a formidable threat. Initially, Kaspersky's report focused on ToddyCat's primary tools, the Ninja Trojan and Samurai Backdoor, as well as the loaders used to launch these malicious payloads. Since then, Kaspersky’s experts created special signatures to monitor the actor’s malicious activity. One of the signatures was detected on a system and the researchers started a new investigation that led to the discovery of ToddyCat’s new tools.

In the past year, Kaspersky researchers have uncovered a new generation of loaders developed by ToddyCat, underscoring the group's relentless efforts to refine their attack techniques. These loaders play a pivotal role during the infection phase, enabling the deployment of the Ninja Trojan. Intriguingly, ToddyCat occasionally substitutes the standard loaders with a tailored variant, customized for specific target systems. This tailored loader exhibits similar functionality but distinguishes itself by its unique encryption scheme, which takes into account system-specific attributes such as the drive model and volume GUID (globally unique identifier).

To maintain long-term persistence on compromised systems, ToddyCat employs various techniques, including the creation of a registry key and a corresponding service. This ensures that the malicious code is loaded during system startup, a tactic reminiscent of the methods used by the group's Samurai backdoor.

Kaspersky's investigation has uncovered additional tools and components used by ToddyCat, including Ninja, a versatile agent with functions like process management, file system control, reverse shell sessions, code injection, and network traffic forwarding. They also employ LoFiSe for finding specific files, DropBox Uploader for data uploads to Dropbox, Pcexter for exfiltrating archive files to OneDrive, a Passive UDP Backdoor for persistence, and CobaltStrike as a loader that communicates with a specific URL, often preceding Ninja deployment. These findings reveal ToddyCat's extensive toolkit.

These latest findings confirm ToddyCat's relentless pursuit of espionage-driven objectives, illuminating how the group infiltrates corporate networks, conducts lateral movement, and gathers valuable information. ToddyCat utilizes an array of tactics, encompassing discovery activities, domain enumeration, and lateral movement, all with a singular focus on achieving their espionage goals.

"ToddyCat isn't just breaking into systems; they're setting up long-term operations to collect valuable information over an extended period, all while adapting to new conditions to remain undetected. Their advanced tactics and adaptability make it clear that this isn't a hit-and-run. Organizations need to recognize that the threat landscape has evolved; it's not just about defense anymore, but about ongoing vigilance and adaptability. To stay secure, it's crucial to invest in top-notch security solutions and have access to the latest findings in threat intelligence," says Giampaolo Dedola, lead security researcher at GReAT.

For further insights into ToddyCat's activities, please visit

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

·       Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.

·       Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts

·       For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response

·       In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform

·       As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform

Kaspersky reveals evolving tactics of ToddyCat APT group in ongoing cyber espionage campaigns

Cybersecurity researchers at Kaspersky have uncovered significant developments in the activities of the ToddyCat Advanced Persistent Threat (APT) group, shedding light on the group's evolving strategies and introducing a fresh set of loaders designed to facilitate their malicious operations. Moreover, during the investigation a new set of malware deployed by ToddyCat was uncovered: the actor uses it to collect files of interest and exfiltrate them on public and legitimate file hosting services. These findings highlight the increasing weight of cyber espionage and the adaptability of APT groups to evade detection.
Kaspersky Logo