ToddyCat
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 54 attack patterns (mitre), 12 malware, 1 sectors, 13 countries, 73 indicators, 3 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
3 MITREs 1 APT
-
2 Malwares 1 APT
Attack patterns (MITRE) (54)
-
T1055 usesProcess Injection MITRE
-
T1003 usesOS Credential Dumping MITRE
-
T1059.001 usesPowerShell MITRE
-
T1078.002 usesDomain Accounts MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
-
T1036.005 usesMatch Legitimate Resource Name or Location MITRE
-
T1095 usesNon-Application Layer Protocol MITRE
-
T1018 usesRemote System Discovery MITRE
-
-
T1190 usesExploit Public-Facing Application MITRE
-
T1047 usesWindows Management Instrumentation MITRE
-
T1102 usesWeb Service MITRE
Malware (12)
-
Ninja uses
-
Pcexter usesFamily The MITRE Corporation Confidence 100
[Pcexter](https://attack.mitre.org/software/S1102) is an uploader that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily
-
cuthead uses
-
HackTool:MSIL/Ninja uses
-
China Chopper usesFamily
-
TomBerBil usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Samurai uses
-
EDRSandBlast usesFamily
-
TCESB usesFamily
-
LoFiSe uses
-
WAExp uses
Sectors (1)
-
Telecommunications targets
Countries (13)
-
Taiwan targets
-
Viet Nam targets
-
Uzbekistan targets
-
Kazakhstan targets
-
Pakistan targets
-
Slovakia targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
India targets
-
Thailand targets
-
Russian Federation targets
-
Iran, Islamic Republic of targets
-
Afghanistan targets
Indicators (73)
-
da2d9ed632576eca68a0c6d8d5afd383a1d811c369012f0d7fb52cd06da8c9b9indicates -
cert.qform3d.inindicates -
295b99219d8529d2cd17b71a7947d370809f4e1a3094a74a31da6e30aa39e719indicates -
d33cbdbd6181deb0e8da9c9e6fb8795e98478d9608ab187e5b8809bed6b2e5c4indicates -
451f87134438fa7e5735a865989072e7bab4858ca0b1e921224ed27dea0226b0indicates -
78faceaf9a911d966086071ff085f2d5c2713b58446d48e0db1ad40974bb15cdindicates -
4baa4071a5eedbe0a8afa1059f7732e5cde0433dd0425e075721dd2cdec9d70dindicates -
be34b508eaf7d58f853fc912d43b0b51e6b963726742e383c2a8b2b0828a736findicates -
2dfba1cbc0ac1793ffd591c88024fab598a3f6a91756a2ea79f84f1601a0f1edindicates -
b3fc497f94ac04abc4c9a6f23ab142fdc2387c520ce5c6fdae1b511793bc6ba2indicates
Tool (3)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)