ToddyCat
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 54 attack patterns (mitre), 12 malware, 1 sectors, 13 countries, 73 indicators, 3 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
3 MITREs 1 APT
-
2 Malwares 1 APT
Attack patterns (MITRE) (54)
-
T1574 usesHijack Execution Flow MITRE
-
T1564.003 usesHidden Window MITRE
-
T1555.003 usesCredentials from Web Browsers MITRE
-
T1518.001 usesSecurity Software Discovery MITRE
-
T1073 uses
-
T1574.002 uses
-
T1550.001 usesApplication Access Token MITRE
-
T1057 usesProcess Discovery MITRE
-
T1069.002 usesDomain Groups MITRE
-
T1053.005 usesScheduled Task MITRE
-
T1005 usesData from Local System MITRE
-
T1560.001 usesArchive via Utility MITRE
Malware (12)
-
Ninja uses
-
Pcexter usesFamily The MITRE Corporation Confidence 100
[Pcexter](https://attack.mitre.org/software/S1102) is an uploader that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily
-
cuthead uses
-
HackTool:MSIL/Ninja uses
-
China Chopper usesFamily
-
TomBerBil usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Samurai uses
-
EDRSandBlast usesFamily
-
TCESB usesFamily
-
LoFiSe uses
-
WAExp uses
Sectors (1)
-
Telecommunications targets
Countries (13)
-
Malaysia targets
Indicators (73)
-
rtmcsync.comindicates -
1609f8ca52b30517ba17160acb9db9bf43d308907cbca9cea62ada76215e86c5indicates -
proxy.rtmcsync.comindicates -
8e2cd616286a13df82c9639d84e90a3927161000c8204905f338f3a79fe73d13indicates -
stix 100/100 Revoked· Valid until 26/07/2025 · Source: AlienVault
-
d94ed414dbfb9bbcba42e3bf2db3b76eb8172b03133d1745d6abcde6f9edbaa7indicates -
eohsdnsaaojrhnqo.windowshost.usindicates -
ns01.nayatel.orinafz.comindicates -
certexvpn.comindicates -
462c85f6972da64af08f52a4c2f3a03bcd40fdf29b29b01631bff643cd9d906aindicates -
qaq2.machineaccountquota.comindicates
Tool (3)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)