{ "id": "b0b4a5bb-3609-403c-a77c-4a50b7c2588e", "created_at": "2026-04-06T00:10:22.512795Z", "updated_at": "2026-04-10T03:33:16.363152Z", "deleted_at": null, "sha1_hash": "c8d32cfb0d285c18adee92ca40b7cf76ad2f13b4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59998, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:33:51 UTC\n APT group: ToddyCat\nNames\nToddyCat (Kaspersky)\nStorm-0247 (Microsoft)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2020\nDescription\n(Kaspersky) ToddyCat is a relatively new APT actor that we have not been able to\nrelate to other known actors, responsible for multiple sets of attacks detected since\nDecember 2020 against high-profile entities in Europe and Asia. We still have little\ninformation about this actor, but we know that its main distinctive signs are two\nformerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.\nObserved\nSectors: Defense, Government, Telecommunications.\nCountries: Afghanistan, India, Indonesia, Iran, Kazakhstan, Kyrgyzstan, Malaysia,\nPakistan, Russia, Slovakia, Taiwan, Thailand, UK, Uzbekistan, Vietnam.\nTools used\nChina Chopper, Cuthead, FRP, Impacket, Krong, LoFiSe, Ninja, Ngrok, PcExter,\nPsExec, Samurai, SIMPOBOXSPY, SoftEther VPN, TomBerBil, WAExp.\nOperations performed\n2021\nOperation “Stayin’ Alive”\nUnveiling ‘Stayin’ Alive’: A Closer Look at an Ongoing Campaign in Asia\nTargeting Telecom and Governmental Entities\n2024\nHow ToddyCat tried to hide behind AV software\nInformation\nLast change to this card: 28 June 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cc191a7-8a9b-431c-8ae1-af954b6537b7\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cc191a7-8a9b-431c-8ae1-af954b6537b7\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cc191a7-8a9b-431c-8ae1-af954b6537b7\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cc191a7-8a9b-431c-8ae1-af954b6537b7" ], "report_names": [ "showcard.cgi?u=7cc191a7-8a9b-431c-8ae1-af954b6537b7" ], "threat_actors": [ { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434222, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c8d32cfb0d285c18adee92ca40b7cf76ad2f13b4.pdf", "text": "https://archive.orkl.eu/c8d32cfb0d285c18adee92ca40b7cf76ad2f13b4.txt", "img": "https://archive.orkl.eu/c8d32cfb0d285c18adee92ca40b7cf76ad2f13b4.jpg" } }