ToddyCat
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 54 attack patterns (mitre), 12 malware, 1 sectors, 13 countries, 73 indicators, 3 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
3 MITREs 1 APT
-
2 Malwares 1 APT
Attack patterns (MITRE) (54)
-
T1027 usesObfuscated Files or Information MITRE
-
-
T1106 usesNative API MITRE
-
Archive via Library usesT1560.002 MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1566 usesPhishing MITRE
-
T1021.002 usesSMB/Windows Admin Shares MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1211 MITRE
-
T1036 usesMasquerading MITRE
-
T1567.002 usesExfiltration to Cloud Storage MITRE
-
T1082 usesSystem Information Discovery MITRE
Malware (12)
-
Ninja uses
-
Pcexter usesFamily The MITRE Corporation Confidence 100
[Pcexter](https://attack.mitre.org/software/S1102) is an uploader that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily
-
cuthead uses
-
HackTool:MSIL/Ninja uses
-
China Chopper usesFamily
-
TomBerBil usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Samurai uses
-
EDRSandBlast usesFamily
-
TCESB usesFamily
-
LoFiSe uses
-
WAExp uses
Sectors (1)
-
Telecommunications targets
Countries (13)
-
Taiwan targets
-
Viet Nam targets
-
Uzbekistan targets
-
Kazakhstan targets
-
Pakistan targets
-
Slovakia targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
India targets
-
Thailand targets
-
Russian Federation targets
-
Iran, Islamic Republic of targets
-
Afghanistan targets
Indicators (73)
-
imap.774b884034c450b.comindicates -
a8a026d9bda80cc9bdd778a6ea8c88edcb2d657dc481952913bbdb5f2bfc11c9indicates -
778b2526965dc1c4bcc401d0ae92037122e7e7f2c41f042f95b59a7f0fe6f30eindicates -
pkigoscorp.comindicates -
7418c4d96cb0fe41fc95c0a27d2364ac45eb749d7edbe0ab339ea954f86abf9eindicates -
60030b970491bced72a56c9dde09a1d2260becfbf80a2b0d217a0b913e781c3aindicates -
6eaa33812365865512044020bc4b95079a1cc2ddc26cdadf24a9ff76c81b1746indicates -
732621aa53683c16edf3959dfe9d93de5359c431c130784b31d4a598fbbd80a9indicates -
c4f9bc7624509190e9e2a690daeff5ac9e944f094b51781734b83a364ae038d0indicates -
2ab1121c603b925548a823fa18193896cd24d186e08957393e6a34d697aed782indicates -
d4bd89ff56b75fc617f83eb858b6dbce7b36376889b07fa0c2417322ca361c30indicates -
gist.gitbusercontent.comindicates
Tool (3)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)