ToddyCat
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 54 attack patterns (mitre), 12 malware, 1 sectors, 13 countries, 73 indicators, 3 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
3 MITREs 1 APT
-
2 Malwares 1 APT
Attack patterns (MITRE) (54)
-
T1027 usesObfuscated Files or Information MITRE
-
-
T1106 usesNative API MITRE
-
Archive via Library usesT1560.002 MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1566 usesPhishing MITRE
-
T1021.002 usesSMB/Windows Admin Shares MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1211 MITRE
-
T1036 usesMasquerading MITRE
-
T1567.002 usesExfiltration to Cloud Storage MITRE
-
T1082 usesSystem Information Discovery MITRE
Malware (12)
-
Ninja usesFamily The MITRE Corporation Confidence 100
[Ninja](https://attack.mitre.org/software/S1100) is a malware developed in C++ that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) to penetrate networks and control remote systems since at least 2020. [Ninja](https://attack.mitre.org/software/S1100) is possibly part…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Pcexter usesFamily The MITRE Corporation Confidence 100
[Pcexter](https://attack.mitre.org/software/S1102) is an uploader that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
cuthead usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HackTool:MSIL/Ninja usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
China Chopper usesFamily The MITRE Corporation Confidence 100
[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TomBerBil usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Samurai usesFamily The MITRE Corporation Confidence 100
[Samurai](https://attack.mitre.org/software/S1099) is a passive backdoor that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2020. [Samurai](https://attack.mitre.org/software/S1099) allows arbitrary C# code execution and is used with multiple modules for…
First seen 01/01/1970 · Last seen 16/11/5138 · -
EDRSandBlast usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TCESB usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LoFiSe usesFamily The MITRE Corporation Confidence 100
[LoFiSe](https://attack.mitre.org/software/S1101) has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to identify and collect files of interest on targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
WAExp usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (1)
-
Telecommunications targets
Countries (13)
-
Taiwan targets
-
Viet Nam targets
-
Uzbekistan targets
-
Kazakhstan targets
-
Pakistan targets
-
Slovakia targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
India targets
-
Thailand targets
-
Russian Federation targets
-
Iran, Islamic Republic of targets
-
Afghanistan targets
Indicators (73)
-
93e9237afaff14c6b9a24cf7275e9d66bc95af8a0cc93db2a68b47cbbca4c347indicates -
357d198131905900bc8fd308add72d9ef1f29e937622cac677d337bce3a81bc4indicates -
caa9fdda2776f681ec294ffeded04723107cf754a2889c3fbb5bc7c743d897c1indicates -
fopingu.comindicates -
12a7b9fa57719109b7f5d081cbe032320a59a7d57eef2dcd2cd4fe2b909162dcindicates -
409948cbbeaf051a41385d2e2bc32fc1e59789986852e608124b201d079e5c3cindicates -
a54e0352653146371efd727ca00110577f8e750e92101462e246f99d435b6172indicates -
877579185a72fbaf1afa78d3c50dbab187780d545d5375ba4c29147083176697indicates -
qform3d.inindicates -
raw.gitbusercontent.comindicates -
stix 100/100 Revoked· Valid until 26/07/2025 · Source: AlienVault
-
6f3de35c531993aa307729e2046ff7aa672f5058b7e0fc6557bbd4c500fb46e7indicates
Tool (3)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)