{ "id": "16573fa8-d106-470d-921d-a65166c653df", "created_at": "2026-04-06T00:06:35.858765Z", "updated_at": "2026-04-10T03:33:16.31552Z", "deleted_at": null, "sha1_hash": "21ec47f01bd3c04d90307f0767196cb5429d6aea", "title": "Microsoft Exchange servers hacked by new ToddyCat APT gang", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1767244, "plain_text": "Microsoft Exchange servers hacked by new ToddyCat APT gang\r\nBy Sergiu Gatlan\r\nPublished: 2022-06-21 · Archived: 2026-04-05 13:26:23 UTC\r\nAn advanced persistent threat (APT) group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout\r\nAsia and Europe for more than a year, since at least December 2020.\r\nWhile tracking the group's activity, security researchers with Kaspersky's Global Research \u0026 Analysis Team (GReAT) have\r\nalso found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan.\r\nBoth malware strains allow the attackers to take control of infected systems and move laterally within the victims' networks. \r\nhttps://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nToddyCat's attacks have also been spotted in the past by Slovak cybersecurity firm ESET, who has been tracking them as a\r\ncluster of activity they dubbed Websiic starting with March 2021.\r\nAt the time, the hacking group exploited the ProxyLogon Exchange flaws that allowed them to gain remote code execution\r\non vulnerable servers to deploy China Chopper web shells.\r\nAlthough not very active until February 2021, they quickly escalated their attacks after starting to scan for and target\r\nunpatched Microsoft Exchange servers across Europe and Asia with ProxyLogon exploits.\r\nToddyCat attack flow (Kaspersky)\r\nWaves of attacks against Exchange servers and desktop systems\r\n\"We suspect that this group started exploiting the Microsoft Exchange vulnerability in December 2020, but unfortunately,\r\nwe don't have sufficient information to confirm the hypothesis,\" Kaspersky security researcher Giampaolo Dedola said.\r\n\"In any case, it's worth noting that all the targeted machines infected between December and February were Microsoft\r\nWindows Exchange servers; the attackers compromised the servers with an unknown exploit, with the rest of the attack\r\nchain the same as that used in March.\"\r\nThe group's favorite targets are high-profile organizations, including government and military entities, as well as military\r\ncontractors.\r\nWhile the first attacks wave of attacks (between December 2020 and February 2021) only targeted a small number of\r\ngovernment organizations in Vietnam and Taiwan, the next wave (between February 2021 and May 2021) quickly expanded\r\nto entities from a long list of countries worldwide, including Russia, India, Iran, and the United Kingdom.\r\nIn the next phase (until February 2022), ToddyCat targeted the same cluster of countries but also added organizations from\r\nIndonesia, Uzbekistan, and Kyrgyzstan to the list.\r\nIn this third wave of attacks, the APT group also expanded their focus to include desktop systems, while before, they were\r\nexclusively targeting Microsoft Exchange servers.\r\nhttps://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/\r\nPage 3 of 5\n\nToddyCat attack waves (Kaspersky)\r\nActivity overlap with some Chinese-speaking APTs\r\nKaspersky says ToddyCat's victims are linked to industry sectors and countries also targeted by multiple Chinese-speaking\r\ngroups.\r\nHowever, some of the entities they breached (in three different countries) were also hacked around the same time by\r\nChinese-backed hackers using the FunnyDream backdoor.\r\n\"Despite the overlap, we do not feel confident merging ToddyCat with the FunnyDream cluster at the moment. Considering\r\nthe high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups,\" Dedola\r\nadded.\r\n\"Moreover, despite the occasional proximity in staging locations, we have no concrete evidence of the two malware families\r\ndirectly interacting (for instance, one deploying the other), and the specific directories are frequently used by multiple\r\nattackers.\r\n\"The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and\r\nis probably used to achieve critical goals, likely related to geopolitical interests.\"\r\nAdditional technical details on the malware used by and indicators of compromise (IOCs) linked to ToddyCat can be found\r\nin Kaspersky's report.\r\nhttps://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/\r\nhttps://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/" ], "report_names": [ "new-toddycat-apt-group-targets-exchange-servers-in-asia-europe" ], "threat_actors": [ { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433995, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21ec47f01bd3c04d90307f0767196cb5429d6aea.pdf", "text": "https://archive.orkl.eu/21ec47f01bd3c04d90307f0767196cb5429d6aea.txt", "img": "https://archive.orkl.eu/21ec47f01bd3c04d90307f0767196cb5429d6aea.jpg" } }