{ "id": "a39f096a-51e7-4233-a76e-420cd1268410", "created_at": "2026-04-06T00:22:01.007153Z", "updated_at": "2026-04-10T03:33:16.361908Z", "deleted_at": null, "sha1_hash": "d4c1666a91183fbe2fd1661b0219a2e92d8492f2", "title": "APT ToddyCat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 565981, "plain_text": "APT ToddyCat\r\nBy Giampaolo Dedola\r\nPublished: 2022-06-21 · Archived: 2026-04-02 10:43:46 UTC\r\nToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for\r\nmultiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still\r\nhave little information about this actor, but we know that its main distinctive signs are two formerly unknown\r\ntools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.\r\nThe group started its activities in December 2020, compromising selected Exchange servers in Taiwan and\r\nVietnam using an unknown exploit that led to the creation of a well-known China Chopper web shell, which was\r\nin turn used to initiate a multi-stage infection chain. In that chain we observed a number of components that\r\ninclude custom loaders used to stage the final execution of the passive backdoor Samurai.\r\nDuring the first period, between December 2020 and February 2021, the group targeted a very limited number of\r\nservers in Taiwan and Vietnam, related to three organizations.\r\nFrom February 26 until early March, we observed a quick escalation and the attacker abusing the ProxyLogon\r\nvulnerability to compromise multiple organizations across Europe and Asia.\r\nWe suspect that this group started exploiting the Microsoft Exchange vulnerability in December 2020, but\r\nunfortunately, we don’t have sufficient information to confirm the hypothesis. In any case, it’s worth noting that\r\nall the targeted machines infected between December and February were Microsoft Windows Exchange servers;\r\nthe attackers compromised the servers with an unknown exploit, with the rest of the attack chain the same as that\r\nused in March.\r\nOther vendors observed the attacks launched in March. Our colleagues at ESET dubbed the cluster of activities\r\n‘Websiic’, while the Vietnamese company GTSC released a report about the infection vector and the technique\r\nused to deploy the first dropper. That said, as far as we know, none of the public accounts described sightings of\r\nthe full infection chain or later stages of the malware deployed as part of this group’s operation.\r\nThe first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with\r\nSamurai, a sophisticated passive backdoor that usually works on ports 80 and 443. The malware allows arbitrary\r\nC# code execution and is used with multiple modules that allow the attacker to administrate the remote system\r\nand move laterally inside the targeted network.\r\nIn some specific cases, the Samurai backdoor was also used to launch another sophisticated malicious program\r\nthat we dubbed Ninja. This tool is probably a component of an unknown post-exploitation toolkit exclusively used\r\nby ToddyCat.\r\nBased on the code logic, it appears that Ninja is a collaborative tool allowing multiple operators to work on the\r\nsame machine simultaneously. It provides a large set of commands, which allow the attackers to control remote\r\nhttps://securelist.com/toddycat/106799/\r\nPage 1 of 27\n\nsystems, avoid detection and penetrate deep inside a targeted network. Some capabilities are similar to those\r\nprovided in other notorious post-exploitation toolkits. For example, Ninja has a feature like Cobalt Strike pivot\r\nlisteners, which can limit the number of direct connections from the targeted network to the remote C2 and control\r\nsystems without internet access. It also provides the ability to control the HTTP indicators and camouflage\r\nmalicious traffic in HTTP requests that appear legitimate by modifying HTTP header and URL paths. This feature\r\nprovides functionality that reminds us of the Cobalt Strike Malleable C2 profile.\r\nSince it first appeared in December 2020, ToddyCat has continued its intense activity, especially in Asia where we\r\ndetect many other variants of loaders and installers similar to those abused to load Samurai and Ninja malware.\r\nWe also observed other waves of attacks against desktop machines that were infected by sending the malicious\r\nloaders via Telegram.\r\nFirst Campaign\r\nInfection vector\r\nBased on our telemetry, ToddyCat started to compromise servers on December 22, 2020, using an unknown\r\nexploit against the Microsoft Exchange component. The exploit was used to deploy the China Chopper web shell,\r\nwhich was used in turn to download and execute another dropper, debug.exe.\r\nStarting from February 26, we observed the same infection chain and samples observed in December and January,\r\ndeployed using ProxyLogon.\r\nStage 1 – Dropper\r\nThe dropper installs all the other components and creates multiple registry keys to force the legitimate svchost.exe\r\nprocess to load the final Samurai backdoor.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 2 of 27\n\nInfection workflow\r\nThe program debug.exe makes use of a special resolution function that is used every time it calls a Windows API.\r\nThe code checks if the pointer is already resolved and placed into a global variable. If the value was not found, it\r\ngoes on to retrieve the address using the resolution function, which receives a handle to the library that contains\r\nthe API and an encrypted string of the requested API name, following which it decrypts the string using an XOR-based algorithm.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 3 of 27\n\nCode snippet used to resolve and call CryptDestroyKey and CryptReleaseContext functions\r\nThe dropper was configured to load an encrypted payload stored in another file, debug.xml. The data are\r\ndecrypted using the standard Wincrypt functions with the CALG_3DES_112 algorithm and a static key embedded\r\nin the code. Once decrypted, the file shows a structure that contains multiple payloads and values used to install\r\nthe next stages.\r\nField Value\r\nmagic 0x12345678\r\nDotNet_Loader_v2_Payload websvc.dll payload compatible with .Net Framework v2.0\r\nDotNet_Loader_v4_Payload websvc.dll payload compatible with .Net Framework v4.0\r\nLoader_Dll_Payload iiswmi.dll dll loader\r\nServiceName WebUpdate\r\nPath_DotNet_Loader %COMMONPROGRAMFILES%\\System\\websvc.dll\r\nPath_Loader_Dll %COMMONPROGRAMFILES%\\microsoft shared\\WMI\\iiswmi.dll\r\nRegKey_Path_Service_SvcHost SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\r\nRegKey_Path_Interface\r\nSOFTWARE\\Classes\\Interface\\{6FD0637B-85C6-D3A9-CCE9-\r\n65A3F73ADED9}\r\nReg_Interface_Payload_v4 Samurai backdoor for .Net Framework v4.0\r\nReg_Interface_Payload_v2 Samurai backdoor for .Net Framework v2.0\r\nOnce the values are retrieved from the file, the malware conducts a sequence of actions in order to stage the next\r\ncomponent in the infection chain:\r\n1. 1 Attempts to create the directory %COMMONPROGRAMFILES%\\Microsoft Shared\\wmi\\ that will\r\ncontain the DLL used for the next stage.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 4 of 27\n\n2. 2 Checks if a service corresponding to the subsequent stage already exists, and if so attempts to stop it.\r\n3. 3 Checks if the .NET framework of version 2.0 is installed by attempting to open the registry key\r\nSOFTWARE\\Microsoft\\.NETFramework\\policy\\v2.0\r\n4. 4 If the key exists, the malware drops the element we refer to as DotNet_Loader_v2_Payload to\r\n%COMMONPROGRAMFILES%\\System\\websvc.dll; otherwise, it drops the contents of\r\nDotNet_Loader_v4_Payload in the same path.\r\n5. 5 Drops a DLL loader used to start the second stage under the path\r\n%COMMONPROGRAMFILES%\\microsoft shared\\WMI\\iiswmi.dll\r\n6. 6 Once the aforementioned files are available on the system, the malware tries to create the registry key\r\nspecified below to maintain persistence on the system. The value in that key indicates the name of the\r\nservice that is created to execute the binary. Following the example below, once executed the service-related process is associated with the command line %SystemRoot%\\System32\\svchost.exe -k httpsvc.\r\nRegistry Key: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\r\nValue name: httpsvc\r\nValue: WebUpdate\r\n7. 7 After the service is created, the malware attempts to configure the second stage DLL and entry point\r\nwithin it to be executed when the service is started. This is done by setting the corresponding registry keys\r\nwith the following values:\r\nRegistry Key: $HKLM\\System\\ControlSet\\Services\\WebUpdate\\Parameters\r\nValue name: ServiceDll\r\nValue: %ProgramFiles%\\Common Files\\microsoft shared\\WMI\\iiswmi.dll\r\nRegistry Key: $HKLM\\System\\ControlSet\\Services\\WebUpdate\\Parameters\r\nValue name: ServiceMain\r\nValue: INIT\r\n8. 8 The malware drops the final payload in the infection chain as a compressed, encrypted and base64\r\nencoded blob under the following registry key:\r\nRegistry Key: $HKLM\\SOFTWARE\\Classes\\Interface\\{6FD0637B-85C6-D3A9-CCE9-\r\n65A3F73ADED9}\r\nValue name:\r\nValue: ILQ3Pz8/Pz87P9IFVEskWKpIeTB0jZx5SVXYXhh1fG...%encoded data%\r\nhttps://securelist.com/toddycat/106799/\r\nPage 5 of 27\n\nStage 2 – DLL Loader\r\nThe registry keys created during the previous step forced the svchost.exe process to load a malicious library\r\ndeveloped in C++, iiswmi.dll. The code used inside the library is quite similar to the dropper and it calls the\r\nWindows API using the same special resolution function observed in the dropper.\r\nThis component is merely a loader that attempts to get an encrypted payload from the registry and pass it as an\r\nargument to another DLL manually loaded during runtime.\r\nThe malware attempts to read the contents of the previously written registry key SOFTWARE\\Classes\\Interface\\\r\n{6FD0637B-85C6-D3A9-CCE9-65A3F73ADED9}, and if it succeeds, loads the previously dropped DLL in the\r\npath %COMMONPROGRAMFILES%\\System\\websvc.dll.\r\nTo invoke the next stage, the malware calls the Init export in the loaded DLL (websvc.dll) while passing the\r\ncontents of the former registry key as an argument.\r\nCode snippet used to load and execute websvc.dll\r\nStage 3 – .NET Loader\r\nThe websvc.dll library was developed in C# and it is another loader that expects an encrypted payload as input\r\nargument. That input is comprised of two base64-encoded strings separated by the pipe character (“|”). The first\r\nstring contains the final stage and the second an encrypted configuration that is used during the execution of the\r\nnext stage.\r\nThe library decodes the first string and the resulting data are decrypted with a simple single XOR with the key\r\n0x3F and decompressed using Gzip. The resulting payload is another library written in C#, which is loaded in\r\nmemory and executed by invoking a method named “Equals” from the class “X” defined in the loaded code. The\r\nsecond base64-encoded string loaded from the registry is passed as argument to the new C# library.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 6 of 27\n\nCode snippet used to load and execute final stage\r\nSamurai backdoor\r\nThe final stage is a formerly unknown modular backdoor that we dubbed Samurai, due to a constant keyword used\r\ninside an important dictionary used by the malware to share data between its modules.\r\nThe library was developed in C# and uses the .NET HTTPListener class to receive and handle HTTP POST\r\nrequests, looking for specially crafted requests that carry encrypted C# source code issued by the attackers. These\r\nprograms will be in turn compiled and executed during runtime.\r\nThe malware is obfuscated with an algorithm developed to increase the difficulty of reverse engineering by\r\nmaking the code complicated to read. Multiple functions in the code are assigned random names, while some\r\nperform very simple actions, like getting a property of an object passed as input.\r\nMoreover, the malware uses multiple while loops and switch cases to jump between instructions, thus flattening\r\nthe control flow and making it hard to track the order of actions in the code. The flow is controlled by modifying\r\nthe switch case expression value and using break and goto statements to restart the loop, re-evaluate the switch\r\nexpression and jump to the correct instruction.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 7 of 27\n\nCode snippet with while loop and switch case\r\nThe malware’s logic starts by decrypting configuration data provided as an input argument. Those data are\r\nencoded with base64 and encrypted with the DES algorithm using the hardcoded key 90 EE 0C E1 6C 0D C9 0C.\r\nThe resulting payload is a configuration file, which is customized per victim, containing multiple lines with\r\nseveral parameters consumed by the backdoor.\r\nBelow is an example of the configuration block’s structure:\r\nkeywordxyz\r\nC:\\Windows\\Temp\\\r\nhttp://*:80/owa/auth/sslauth/\r\nhttps://*:443/owa/auth/sslauth/\r\nThe first line contains a keyword that needs to be included as a variable in the received POST request, marking it\r\nas designated for processing by the backdoor and also used to specify important session parameters like the AES\r\nsession key and the list of variable names that contain the data that should be processed.\r\nIn some variants, the second line is used as a directory path, whose value is used to override the TEMP\r\nenvironment variable. All the other lines are URI prefixes that are used to configure the HTTPListener component,\r\nhttps://securelist.com/toddycat/106799/\r\nPage 8 of 27\n\nwhereby each is a string composed of a scheme (HTTP or HTTPS), a host, an optional port, and an optional path\r\ndefining which request will be processed by the HTTPListener object.\r\nIn several cases, the URL prefixes contained in the configuration included the victim’s domain, as in the following\r\nexample: https://mail.%redacted%.gov.%redacted%/owa/auth/sslauth.\r\nOnce the configuration is successfully decrypted, the backdoor starts the listeners according to the provided\r\nconfiguration and waits for incoming requests. The request must to be structured as in the following example:\r\nPOST /owa/auth/sslauth/ HTTP/1.0\r\nHost: example.xyz\r\nHeaders...\r\nkeywordxyz={session_AES_key,variable2,variable3}\u0026variable2=[C# source\r\ncode]\u0026variable3=[argument_for_the_compiled_program\\r\\nassembly_reference1;assemb\r\nly_reference2]\r\nWhere:\r\n{} = encrypted with default AES key + base64 encoded\r\n[] = encrypted with session AES key + base64 encoded\r\n### Input config ###\r\nkeywordxyz\r\nC:\\Windows\\Temp\\\r\nhttp://*:80/owa/auth/sslauth/\r\nThe request body should contain three values, one of which is equal to the keyword specified in the configuration\r\nreceived as input. The related value should be encoded with base64 and encrypted with AES, using a predefined\r\nkey. The resulting string will contain three values delimited by the comma character: the first value is another AES\r\nkey that is used to decrypt the other POST values, the second is the name of the variable that contains the C#\r\nsource code, and the third contains the name of the variable that contains the arguments and the list of assembly\r\nreferences that should be added to the compiled project.\r\nOnce compiled, the backdoor tries to invoke a method named “run” from a class named “core” that should be\r\nincluded in the received program. The invoked method receives two arguments as input:\r\nhttps://securelist.com/toddycat/106799/\r\nPage 9 of 27\n\nThe first one is a dictionary containing a key named “samurai” holding the current working directory path\r\nas a value.\r\nThe second is a value provided by the attacker in the third element of the POST request.\r\nIf the request is valid and the code is successfully executed, the backdoor replies with an HTTP 200 code,\r\nincluding the result generated by the invoked .NET assembly in the response body. The message will be encrypted\r\nwith AES using the session key and it will be encoded with Base64.\r\nUploaded modules\r\nDuring our investigation, we were able to discover some modules uploaded by the attackers and compiled by the\r\nSamurai backdoor:\r\nModule Description\r\nRemote\r\nCommand\r\nExecute arbitrary commands using the Windows command line, cmd.exe.\r\nFile enumerator\r\nGet a list of files and directories in a specific path provided by the attacker as an\r\nargument.\r\nFile exfiltration Download arbitrary files from the compromised machines.\r\nProxy Connect Start a connection to a remote IP address and TCP port specified in the code.\r\nProxy Handler\r\nForward the payload received with HTTP request to the remote IP address and vice\r\nversa.\r\nIt is worth mentioning the arguments passed to the modules, which in some cases are structures with specific\r\nformats. All modules must contain a “run” method, which expects two arguments, a dictionary that contains the\r\n“samurai” keyword with the current working directory, and a string provided by the attacker. The string should\r\ninclude values separated by the semi-colon character (“;”).\r\nFor example, the following is a valid string for the Remote Command module:\r\nY21kLmV4ZQ==;ZGlyICVNQUxESVIlXCoubXdy;TUFMRElSPUM6XE1hbGRpcg==\r\nThe string contains three different fields, and each of them is encoded with base64. The decoded value for this\r\nexample is the following:\r\ncmd.exe;dir %MALDIR%\\*.mwr;MALDIR=C:\\Maldir\r\nhttps://securelist.com/toddycat/106799/\r\nPage 10 of 27\n\nThe first value is the program that will be executed, the second one is the argument that will be passed to the new\r\nprocess and the last one is an environment variable.\r\nThe cumbersome administration of the Samurai backdoor using arguments in this structure suggests that the\r\nSamurai backdoor is the server-side component of a bigger solution that includes at least another client component\r\nproviding an interface for the operators that can be used to automatically upload some predefined modules.\r\nFurther evidence that enhances this hypothesis is related to the proxy modules, two different C# programs\r\ndeveloped to forward TCP packets to arbitrary hosts. The attacker uses these modules to start a connection\r\nbetween a running instance of a Samurai backdoor and a remote host and forward the packets using the backdoor\r\nas a proxy. It is probably used to move laterally inside the compromised network. Most of the detected modules\r\nwere configured to communicate with internal IPs on standard ports, such as: 135, 445, 389, 80 and 443.\r\nThe first program is used to initialize the connection and it embeds the remote IP and the remote port inside the\r\ncode.\r\nCode snippet with the socket object creation\r\nWhen the connection is established, the socket object is added to the first argument received by the “run” method.\r\nThis argument is usually a dictionary that contains the keyword “samurai”.\r\nSo, the socket object is stored in the dictionary as the value of a unique key, whose name is composed by the word\r\n“ninja” followed by an alphanumeric unique code. The same value is then embedded in the second program,\r\nwhich is used to handle the packets.\r\nCode snippet of socket object handling\r\nIt suggests that the C# source code is probably dynamically generated by a client-side program that keeps track of\r\nproxy sessions.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 11 of 27\n\nNinja Trojan\r\nIn specific cases the Samurai backdoor was used to deploy another sophisticated malware that we dubbed Ninja, a\r\ntool developed in C++, likely a part of an unknown post-exploitation toolkit developed by ToddyCat.\r\nThis tool was designed to take full control of a remote system and provide the attacker with the ability to operate\r\ndeeply within the targeted network. The attacker can use a number of different commands that provide the\r\nfollowing capabilities:\r\nEnumerate and manage running processes;\r\nManage the file system;\r\nStart multiple reverse shell sessions;\r\nInject code in arbitrary processes;\r\nLoad additional modules (probably plugins) at runtime;\r\nProvide proxy functionalities to forward TCP packets between the C2 and a remote host.\r\nMoreover, the tool can be configured to communicate using multiple protocols and it includes features to evade\r\ndetection, camouflaging its malicious traffic inside HTTP and HTTPS requests that try to appear legitimate by\r\nusing popular hostname and URL path combinations. The configuration is fully customizable and is similar to\r\nother features provided by famous post-exploitation tools such as Cobalt Strike and its Malleable C2 profiles.\r\nThe attacker can configure the agent to work only in specific time frames, which can be dynamically configured\r\nusing a specific command.\r\nLast, but not least, each agent can also work as a server component that receives packets from other agents, parses\r\nthe requests and forwards them to another predefined C2. This feature allows the attackers to create chains of\r\nservers and communicate with agents without a direct internet connection. It can also be used to avoid network\r\ndetections, by forwarding all malicious traffic generated inside a targeted intranet through a unique node instead of\r\ngenerating activities from all compromised machines.\r\nLoader\r\nWe have never observed Ninja stored on the file system; it is usually loaded in memory by another component.\r\nThe loader is usually an executable file, which shares many similarities with the iiswmi.dll library and Samurai\r\ninstallers such as the previously mentioned debug.exe.\r\nThe loader uses the same “special resolution function” to call the Windows API and decrypts the file payload\r\nusing 3DES (112-bit) and uncompress the decrypted data with the LZSS algorithm.\r\nThe resulting payload is a library that will be mapped in memory by the loader without the DOS header and it will\r\nbe invoked calling an exported function “Debug”.\r\nWe observed multiple variants, and the tool evolved during the year. The first samples lacked some features, such\r\nas the ability to handle multiple sessions on the client side and the ability to communicate with HTTP and HTTPS\r\nprotocols. The embedded configuration structure was also a little different.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 12 of 27\n\nIn this article we are going to describe the last detected version.\r\nConfig\r\nThe malware starts operations by retrieving configuration parameters from an encrypted payload embedded in the\r\nbinary, which is XORed with the constant value “0xAA” and compressed with the LZSS algorithm.\r\nThe analyzed configuration contains a list of 15 elements with the following values:\r\nParameter Description\r\n2B847033-C95F-92E3-D847-29C6AE934CDC Mutex name used to guarantee atomic execution.\r\nC2_INFO\r\nA structure that contains the information to\r\ncommunicate with the C2 servers.\r\n/Collector/3.0/ URL path used with HTTP and HTTPS protocols.\r\nContent-Type: application/x-www-form-urlencoded HTTP header used with HTTP and HTTPS protocols.\r\nHost: mobile.pipe.microsoft.com:8080 HTTP header used with HTTP and HTTPS protocols.\r\nMozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0)\r\nlike Gecko\r\nUser-Agent used with HTTP and HTTPS protocols.\r\n0 Working hour Start.\r\n0 Working minute Start.\r\n0 Working second Start.\r\n0 Working hour Stop.\r\n0 Working minute Stop.\r\n0 Working second Stop.\r\n0 TCP C2 communication interval.\r\n300 HTTP C2 communication interval.\r\n0 Local Server port.\r\nThe first element is the mutex name, which could be any string, but usually looks like a GUID value. C2_INFO is\r\na string that contains multiple values organized with a specific structure.\r\nHTTP config\r\nThe attacker can also customize the HTTP URL path and headers to mimic legitimate services and hide malicious\r\ntraffic. The specific values in the example will generate requests like the following.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 13 of 27\n\nPOST /Collector/3.0/ HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: mobile.pipe.microsoft.com:8080\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko\r\nContent-Length: 430\r\nCache-Control: no-cache\r\nWe may infer that the attacker was trying to emulate Microsoft Teams behavior, although the “User-Agent” and\r\nthe “Host” headers are incorrect.\r\nC2 Info\r\nThe C2_INFO contains multiple information items specified with the following format:\r\n%Protocol% \\r %C2_Hostname% \\r %C2_Port% \\r %Proxy_Type% \\r Proxy_Info\r\nThe protocol is a numeric value that identify the communication protocol:\r\n1. 1 HTTP\r\n2. 2 HTTPS\r\n3. 3 TCP\r\nThe C2 hostname and port are self-explanatory.\r\nThe “Proxy_Type” is another integer that can have three different values:\r\n1. 1 No Proxy. Connect to the C2 directly\r\n2. 2 System Proxy\r\n3. 3 Manual Proxy\r\nWhen the value is equal to “3”, the agent will try to decode a base64 string embedded in “Proxy_Info” that\r\ncontains different information, according to the specified protocol. When the protocol is HTTP or HTTPS, the\r\nfollowing information must be specified:\r\n%Proxy_Address% : %Proxy_Port% \\t %Proxy Username% \\t %Proxy_Password%\r\nIf the protocol is TCP, the decoded strings could specify a proxy chain with up to 255 hops.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 14 of 27\n\n%Proxy_Address% \\t %Proxy_Port% \\t %Remote_Host% \\t %Remote_Port% \\r\r\n%Proxy_Address% \\t %Proxy_Port% \\t %Remote_Host% \\t %Remote_Port% \\r\r\n%Proxy_Address% \\t %Proxy_Port% \\t %Remote_Host% \\t %Remote_Port% \\r\r\n%Proxy_Address% \\t %Proxy_Port% \\t %Remote_Host% \\t %Remote_Port% \\r\r\n... up to 255\r\nThe information will be used by the agent to initialize the connection with the C2.\r\nWorking time config\r\nThe Ninja agent includes an interesting ‘working time’ feature that can be used to force the malware to work only\r\nwithin a specific time frame. For example, it could configure the malware to work only from 9am to 6pm, during\r\ntypical working hours. This feature is useful to avoid being detected by specific security solutions such as\r\nbehavior-based intrusion detection systems. When the values are equal to zero, the feature is disabled and the\r\nagent works at any time. The attacker can remotely configure these options with a specific command.\r\nLocal server\r\nThe last value is the local server port. When the local server feature is enabled, the agent acts as the C2. It waits\r\nfor agent connections, decodes the received requests and forwards them to the remote C2. This feature is probably\r\nused for ‘pivoting’ and accessing other internal systems from the compromised machine. Also, this value can be\r\nmodified by the attacker with a specific command.\r\nCommunication protocol\r\nMalware communications are protected with a sequence of encryption and encoding algorithms, with small\r\ndifferences between the HTTP and TCP protocols.\r\nBoth protocols use a message format as follows:\r\nMessage_ID@Message_payload\r\nThe “Message_ID” changes according to the command type and the “Message_payload” contains the real payload\r\ncompressed, XORed with the static value 0x3F and encoded with base64 algorithm using a custom alphabet.\r\nThe resulting message is then encrypted with AES 256 using a session key generated by selecting two random\r\ncharacters from the custom base64 alphabet. The agent will use random characters to generate a SHA1 hash,\r\nwhich will be used for the AES encryption.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 15 of 27\n\nThe encrypted data is then encoded again using the base64 algorithm and the resulting string is appended to the\r\npreviously generated random character to allow the server to decrypt the information.\r\nWhen the agent is configured to use the HTTP/S protocol, the data are included in standard POST requests.\r\nIf the C2 communicates using the TCP protocol, the agent will send a first packet with the constant value\r\n0x6CC8DF01 and then other packets with the generated payload. The server should reply with a packet with the\r\nsame constant value 0x6CC8DF01 and then with other packets encrypted with the same algorithms. The constant\r\nvalue is not always the same, but changes according to the variant.\r\nThe first message is sent using the “Message_ID” 10001 and it contains information about the infected system and\r\nthe agent configuration.\r\nSystem info (collected with Kernel32.GetNativeSystemInfo function)\r\nOS info (collected with Ntdll.RtlGetVersion function)\r\nComputer name\r\nLocal IP address\r\nAgent file path\r\nAgent PID\r\nAgent Sleep Time\r\nAgent C2 configuration (C2 hostname, Port, Proxy Info)\r\nCommands\r\nThe server response usually has the following structure:\r\nMagic constant 0x887766\r\nNumber of commands\r\nList of commands\r\nThe “Magic constant” is an integer, the value of which changes according to the variants. The list of commands is\r\nan array, and for each element the attacker could specify:\r\nCommandID\r\nArguments Size\r\nArguments\r\nThe argument values change according to the “CommandID”, but usually they are strings with multiple values\r\ndivided by the ‘*’ character.\r\nCommand ID Description Response ID\r\n20000 Enable Session\r\n20001 Disable Session\r\n20002 Update sleep time\r\nhttps://securelist.com/toddycat/106799/\r\nPage 16 of 27\n\n20003 Kill Bot\r\n20004 Execute program as user\r\n20005 Set Local Server Port\r\n20006 Safe Exit\r\n20010 Shell::Start new session 30010\r\n20011 Shell::Handle Command 30011\r\n20012 Shell::Close Session 30012\r\n20013 Shell::Terminate Session Tree 30013\r\n20020 File::Get Drives list 30020\r\n20021 File::Get Directory content 30021\r\n20022 File::Create directory 30022\r\n20023 File::Delete file 30023\r\n20024 File::Remove directory 30024\r\n20025 File::Move file 30025\r\n20026 File::Change Create\\Last access\\Last write Time 30026\r\n20030 File::Read file 30030\r\n20031 File::Write file 30031\r\n20040 Proxy::Start Session 30040\r\n20041 Proxy::Set socket as writeable 30041\r\n20042 Proxy::Send Data 30042\r\n20043 Proxy::Receive Data 30043\r\n20044 Proxy::Close Session 30044\r\n20045 Proxy::Reconnect 30045\r\n20050 Enumerate Processes (filename|pid|number of threads) 30050\r\n20051 Kill a list of processes\r\n20052 Process Injection 30052\r\n20053 Plugin::Load 30053\r\nhttps://securelist.com/toddycat/106799/\r\nPage 17 of 27\n\n20054 Plugin::Read Output 30054\r\n20055 Plugin::Unload 30055\r\n20056 Enumerate Processes (SessionID\\PID\\Domain\\Username) 30056\r\n20060 Injection::Start new session 30060\r\n20061 Injection::List active sessions 30061\r\n20062 Injection::Close session 30062\r\n20064 Injection::Inject code in a new process 30064\r\n20065 Injection::Read “pobject” 30065\r\n20068 Injection::Read “create_object” 30068\r\n21000 Configure Working Time 31000\r\nSome commands are self-explanatory, others aren’t, and in some cases we are unable to fully understand them\r\nsince we are still missing some information.\r\nThe Enable and Disable session commands are used to activate or deactivate the Agent. The attacker should\r\nenable the bot before sending any other commands, which will be dropped by deactivated bots. The Enable\r\ncommand is also mandatory to enable the “Local server” feature.\r\nThe Shell, Proxy and Injection commands were designed to run multiple parallel sessions, which probably means\r\nthat multiple operators can work on the target machine simultaneously. The agent manages three structures, one\r\nfor the Shell, one for the Proxy and the last one for the Injection commands.\r\nFor example, when the attacker wants to start a shell, they must use the command “20010” that will force the\r\nagent to create a new process and new pipes used to redirect the standard input and the standard output. The “Shell\r\nsession ID” must be specified by the attacker and this value will be stored in the local array, which contains the list\r\nof active sessions. If the command succeeds, the agent will reply with a list of information like new PID and pipe\r\nhandles.\r\nThe command 20011 can be used to read or write data in the pipes. The attacker has to provide a valid “Shell\r\nsession id”, an event ID and the pipe handles. Before processing the command, the agent will check if the\r\nprovided ID is valid, by comparing the values with those in the local structure.\r\nThe command 20012 is used to close an active session, remove the “Session_ID” from the local array, terminate\r\nthe running process and close the pipe handles. A similar logic is used to manage the Proxy commands, which can\r\nbe used to forward packets to other remote hosts using the TCP protocol.\r\nThe Plugin commands are used to load other unknown libraries in the agent process address space. We don’t have\r\ninformation about the other modules, but we presume they are additional plugins that can be used by the attacker\r\nto provide more features.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 18 of 27\n\nBased on static analysis we know the libraries should export at least three functions: GET, RUN and CLOSE; and\r\nthen share data with the main process by using a file mapping object.\r\nThe “Process Injection” (20052) command and the “Injection” set of commands could cause some confusion, but\r\nthey are quite different. The first one is used to inject arbitrary shellcode in a running process. The second is used\r\nto inject another agent module in a new process specified by the attack. The injected code is not an arbitrary\r\nshellcode, but something that should communicate with the main agent by using specific file mapping objects.\r\nThe attacker uses command 20060 to start a new injection session, where the attacker basically provides the\r\nshellcode that will be injected in a new program, and whose path will be specified with command 20064.\r\nThe “Injection::Inject code in a new process” command will force the agent to start a program specified by the\r\nattacker. The specified program will be created as suspended and the agent will write the shellcode in a new\r\nsection allocated in the created process.\r\nThe agent then gets the remote thread’s context to obtain the instruction pointer address and replace the instruction\r\nin that offset with the following:\r\ndec eax\r\nsub esp, 40h\r\ndec eax\r\nmov eax, %SHELLCODE_ADDRESS%\r\ncall eax\r\nFinally, the code will resume the remote process, which will execute the injected code.\r\nThe commands 20065 and 20068 are then used to read data from the file mapping objects, which should contain\r\ninformation generated by the injected code.\r\nOther campaigns and variants\r\nOther variants\r\nDuring our investigations, we discovered several loader and installer variants that evolved during 2021 and were\r\nused in different campaigns.\r\nInstallers\r\nAll the installers are quite similar in their logic: they load a payload from an external file, usually located in the\r\nsame directory, with a name that differs according to the variant:\r\ndebug.xml\r\nhttps://securelist.com/toddycat/106799/\r\nPage 19 of 27\n\nweb.xml\r\naccess.log\r\ncache.dat\r\nreg.txt\r\nlogo.jpg\r\nThe files are always decrypted with the same algorithm, CALG_3DES_112, but the loaded data are usually\r\ntailored for the victim.\r\nAll installers create a new service using a name and description specified in an encrypted file. They also set a\r\nregistry value (either httpsvc or w3esvc) in the following Windows registry key:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\r\nThese values cause svchost.exe to automatically start the malicious service and load the code in its process address\r\nmemory. The registry values contain the malicious service name. The main difference between the installer\r\nvariants is related to the final payload. Based on initial investigations, we know that the first variants (from\r\nDecember 2020 to May 2021) were configured to store their payload inside a registry key, such as:\r\n$HKLM\\SOFTWARE\\Classes\\Interface\\{6FD0637B-85C6-D3A9-CCE9-65A3F73ADED9}\r\n$HKLM\\SOFTWARE\\Classes\\Interface\\{AFDB6869-CAFA-25D2-C0E0-09B80690F21D}\r\nStarting from March we also observed new variants configured to store the final backdoor inside other encrypted\r\nfiles in the file system. The most common dropped the Stage 2 loader in the following paths:\r\n%System32%\\Triedit.dll\r\n%System32%\\fveapi.dll\r\nand the Stage 3 loader and encrypted payload in the following paths:\r\n%WINDIR%\\Microsoft.NET\\Framework\\sbs_clrhost.dll\r\n%WINDIR%\\Microsoft.NET\\Framework\\sbs_clrhost.dat\r\n%WINDIR%\\Microsoft.NET\\Framework\\Util.dll\r\n%WINDIR%\\Microsoft.NET\\Framework\\Util.dat\r\nStarting from September 2021, we observed new samples configured to once again store the final payload in the\r\nWindows registry, but instead of relying on static registry key values, the malware was configured to create a\r\ndynamically generated key in $HKLM\\SOFTWARE\\Classes\\Interface\\, based on the disk drive’s serial number:\r\nhttps://securelist.com/toddycat/106799/\r\nPage 20 of 27\n\nCode snippet to create a registry key based on the Volume Serial Number\r\nThe constants used to generate the final registry key name change for each sample.\r\nLoaders\r\nThe loaders are basic tools used to decrypt payloads from 3DES and load them into memory. They were modified\r\nover time along with the installers to account for the changes in how the final payload is stored.\r\nSome loaders, like those mentioned in the previous paragraph, were configured to load another payload from an\r\nencrypted file and pass the resulting data as arguments for another library, a Stage 3 loader, stored in a specific\r\nlocation.\r\nOther loaders were configured to load the payload from the registry and pass it to the Stage 3 library.\r\nSome variants included a function to directly run .NET code at runtime, without relying on another external Stage\r\n3 library.\r\nFinally, we observed other loaders that were mainly used on desktop systems to load the Ninja Trojan.\r\nOther attacks against Desktop systems\r\nThe first waves of attacks exclusively targeted Microsoft Exchange servers, but starting from September 2021, we\r\nalso observed a new set of loaders detected on desktop systems in Central Asia with filenames such as\r\n“01.09.2021 г..exe”, “03.09.2021 г.exe”, “нота мид кр регламент.exe” and “Тех.Инструкции.exe”.\r\nThe files were loaders configured to run the Ninja component, but they were distributed as executable files\r\nembedded in zip archives and sent through the popular messaging app Telegram.\r\nhttps://securelist.com/toddycat/106799/\r\nPage 21 of 27\n\nThe programs were configured to load a payload from another file, “license.txt”, which should be located in the\r\nsame directory. The malware then uses the previously described “special resolution function” to call the Windows\r\nAPI and decrypts the file payload using 3DES (112)-bit and uncompresses the decrypted data.\r\nThe resulting payload is the Ninja library that will be mapped in memory by the loader without the DOS header\r\nand it will be invoked calling an exported function “Debug”.\r\nHow to detect the Samurai backdoor\r\nThe whole infection scheme used to deploy and guarantee Samurai persistence, was designed to avoid forensic\r\nanalysis and the most common superficial checks.\r\nAs we said, the malicious code is loaded by the legitimate svchosts.exe process, which means that the backdoor\r\ncannot be detected with a simple process enumeration.\r\nMoreover, the backdoor cannot be spotted by watching the open TCP ports, because it uses the .NET\r\nHTTPListener class, which is built on top of HTTP.sys and allows different processes to share the same ports. In\r\nthe case of the Samurai backdoor, it uses ports 80 or 443, which are also used by Microsoft Exchange.\r\nWe detect this backdoor as “HEUR:Backdoor.MSIL.Samurai.gen”, but in the absurd case that you are not using\r\nour products, a simple way to check if the backdoor is running is to try to find one of the IoCs shared in this\r\nblogpost or trying to execute the following command:\r\n#\u003enetsh http show servicestate verbose=yes\r\nAs described by Microsoft, this command will display a snapshot of the HTTP service, and you can try to find\r\nsuspicious registered URLs such as the following:\r\nServer session ID: ED00000020000013\r\n    Version: 2.0\r\n    State: Active\r\n    Properties:\r\n    ...\r\n            Max bandwidth: inherited\r\n            Max connections: inherited\r\n            Timeouts:\r\n                Timeout values inherited\r\nhttps://securelist.com/toddycat/106799/\r\nPage 22 of 27\n\nNumber of registered URLs: 2\r\n            Registered URLs:\r\n                HTTP://*:80/OWA/AUTH/TOKEN/\r\n                HTTPS://*:443/OWA/AUTH/TOKEN/\r\nVictims\r\nBased on our visibility we know that ToddyCat focused its attention on high-profile targets; most of them were\r\ngovernment organizations and military entities, as well as military contractors.\r\nWe know the attacks launched before February 2021 targeted a very limited number of government entities in:\r\nTaiwan\r\nVietnam\r\nAfter the ProxyLogon publication the number of detections rapidly increased around the world, and we also\r\nobserved victims in the following countries:\r\nAfghanistan\r\nIndia\r\nIran\r\nMalaysia\r\nPakistan\r\nRussia\r\nSlovakia\r\nThailand\r\nUnited Kingdom\r\nAfter May 2021, we observed other variants and campaigns that we attributed to the same group and affected most\r\nof the previously mentioned countries in Asia and the following:\r\nKyrgyzstan\r\nUzbekistan\r\nIndonesia\r\nhttps://securelist.com/toddycat/106799/\r\nPage 23 of 27\n\nOverall affected victims map\r\nAttribution\r\nUnfortunately, we were not able to attribute the attacks to a known APT group; and for this reason we dubbed this\r\nentity ToddyCat.\r\nDuring our investigations we noticed that ToddyCat victims are related to countries and sectors usually targeted by\r\nmultiple Chinese-speaking groups. In fact, we observed three different high-profile organizations compromised\r\nduring a similar time frame by ToddyCat and another Chinese-speaking APT group that used the FunnyDream\r\nbackdoor.\r\nThis overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; and we\r\nobserved the same targets compromised by both APTs in three different countries. Moreover, in all the cases there\r\nwas a proximity in the staging locations and in one case they used the same directory.\r\nTarget 1\r\nC:\\ProgramData\\Microsoft\\DRM\\rundll.dll – FunnyDream related\r\nC:\\ProgramData\\Microsoft\\mf\\svchost.dll – ToddyCat\r\nTarget 2\r\nC:\\ProgramData\\adobe\\avps.exe – FunnyDream related\r\nC:\\ProgramData\\adobe\\2.dll – ToddyCat\r\nDespite the overlap, we do not feel confident merging ToddyCat with the FunnyDream cluster at the moment.\r\nConsidering the high-profile nature of all the victims we discovered, it is likely they were of interest to several\r\nAPT groups. Moreover, despite the occasional proximity in staging locations, we have no concrete evidence of the\r\nhttps://securelist.com/toddycat/106799/\r\nPage 24 of 27\n\ntwo malware families directly interacting (for instance, one deploying the other), and the specific directories are\r\nfrequently used by multiple attackers.\r\nConclusions\r\nToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low\r\nprofile. During our investigations we discovered dozens of samples, but despite the number of files and the\r\nduration of their activities, we were unable to attribute the attacks to a known group; and there is also quite a bit of\r\ntechnical information about the operations that we don’t have.\r\nThe affected organizations, both governmental and military, show that this group is focused on very high-profile\r\ntargets and is probably used to achieve critical goals, likely related to geopolitical interests.\r\nBased on our telemetry, the group shows a strong interest in targets in Southeast Asia, but their activities also\r\nimpact targets in the rest of Asia and Europe.\r\nWe’ll continue to monitor this group and keep you updated.\r\nMore information, IoCs and YARA rules about ToddyCat are available to customers of the Kaspersky Intelligence\r\nReporting Service. Contact: intelreports@kaspersky.com.\r\nToddyCat’s indicators of compromise\r\n5cfdb7340316abc5586448842c52aabc Dropper google.log\r\n93c186c33e4bbe2abdcc6dfea86fbbff Dropper\r\n5a912beec77d465fc2a27f0ce9b4052b Dll Loader Stage 2 iiswmi.dll\r\nf595edf293af9b5b83c5ffc2e4c0f14b Dll Loader Stage 3 websvc.dll\r\n5a531f237b8723396bcfd7c24885177f Dll Loader Stage 2 fveapi.dll\r\n1ad6dccb520893b3831a9cfe94786b82 Dll Loader Stage 2 fveapi.dll\r\nf595edf293af9b5b83c5ffc2e4c0f14b Dll Loader Stage 3 sbs_clrhost.dll\r\n8a00d23192c4441c3ee3e56acebf64b0 Samurai Backdoor\r\n5e721804f556e20bf9ddeec41ccf915d Ninja Trojan\r\nOther variants\r\n33694faf25f95b4c7e81d52d82e27e7b 1.dll – Installer\r\n832bb747262fed7bd45d88f28775bca6 Техинстр egov – ГЦП – Акрамов.exe – Loader\r\n8fb70ba9b7e5038710b258976ea97c98 28.09.2021. Управление ИР и ИС.exe – Loader\r\nee881e0e8b496bb62ed0b699f63ce7a6 Loader\r\nae5d2cef136ac1994b63c7f8d95c9c84 Loader\r\n5c3bf5d7c3a113ee495e967f236ab614 System.Core.dll – Loader\r\nbde2073dea3a0f447eeb072c7e568ee7 wabext.dll – Loader\r\n350313b5e1683429c9ffcbc0f7aebf3b rcdll.dll – Loader\r\nNinja C2\r\n149.28.28[.]159\r\nhttps://securelist.com/toddycat/106799/\r\nPage 25 of 27\n\neohsdnsaaojrhnqo.windowshost[.]us\r\nFile paths\r\nC:\\inetpub\\temp\\debug.exe\r\nC:\\Windows\\Temp\\debug.exe\r\nC:\\Windows\\Temp\\debug.xml\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Temporary ASP.NET Files\\web.exe\r\nC:\\Users\\Public\\Downloads\\dw.exe\r\nC:\\Users\\Public\\Downloads\\chrome.log\r\nC:\\Windows\\System32\\chr.exe\r\nC:\\googleup.exe\r\nC:\\Program Files\\microsoft\\exchange server\\v15\\frontend\\httpproxy\\owa\\auth\\googleup.log\r\nC:\\google.exe\r\nC:\\Users\\Public\\Downloads\\x64.exe\r\nC:\\Users\\Public\\Downloads\\1.dll\r\nC:\\Program Files\\Common Files\\microsoft shared\\WMI\\iiswmi.dll\r\nC:\\Program Files\\Common Files\\microsoft shared\\Triedit\\Triedit.dll\r\nC:\\Program Files\\Common Files\\System\\websvc.dll\r\nC:\\Windows\\Microsoft.NET\\Framework\\sbs_clrhost.dll\r\nC:\\Windows\\Microsoft.NET\\Framework\\sbs_clrhost.dat\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Temporary ASP.NET Files\\web.xml\r\nC:\\Users\\Public\\Downloads\\debug.xml\r\nC:\\Users\\Public\\Downloads\\cache.dat\r\nC:\\Windows\\System32\\config\\index.dat\r\nC:\\Windows\\Microsoft.NET\\Framework\\netfx.dat\r\n%ProgramData%\\adobe\\2.dll\r\n%ProgramData%\\adobe\\acrobat.exe\r\n%ProgramData%\\git\\git.exe\r\n%ProgramData%\\intel\\mstacx.dll\r\n%ProgramData%\\microsoft\\drm\\svchost.dll\r\n%ProgramData%\\microsoft\\mf\\svchost.dll\r\n%ProgramData%\\microsoft\\mf\\svhost.dll\r\n%program files%\\Common Files\\services\\System.Core.dll\r\n%public%\\Downloads\\1.dll\r\n%public%\\Downloads\\config.dll\r\n%system%\\Triedit.dll\r\n%userprofile%\\Downloads\\Telegram Desktop\\03.09.2021 г.zip\r\n%userprofile%\\Downloads\\Telegram Desktop\\Тех.Инструкции.zip\r\n%userprofile%\\libraries\\1.dll\r\n%userprofile%\\libraries\\chrome.exe\r\n%userprofile%\\libraries\\chrome.log\r\n%userprofile%\\libraries\\config.dll\r\nC:\\intel\\2.dll\r\nhttps://securelist.com/toddycat/106799/\r\nPage 26 of 27\n\nC:\\intel\\86.dll\r\nC:\\intel\\x86.dll\r\nRegistry Keys\r\n$HKLM\\System\\ControlSet\\Services\\WebUpdate\r\n$HKLM\\System\\ControlSet\\Services\\PowerService\r\n$HKLM\\SOFTWARE\\Classes\\Interface\\{6FD0637B-85C6-D3A9-CCE9-65A3F73ADED9}\r\n$HKLM\\SOFTWARE\\Classes\\Interface\\{AFDB6869-CAFA-25D2-C0E0-09B80690F21D}\r\nSource: https://securelist.com/toddycat/106799/\r\nhttps://securelist.com/toddycat/106799/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "MITRE", "Malpedia" ], "references": [ "https://securelist.com/toddycat/106799/" ], "report_names": [ "106799" ], "threat_actors": [ { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434921, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d4c1666a91183fbe2fd1661b0219a2e92d8492f2.pdf", "text": "https://archive.orkl.eu/d4c1666a91183fbe2fd1661b0219a2e92d8492f2.txt", "img": "https://archive.orkl.eu/d4c1666a91183fbe2fd1661b0219a2e92d8492f2.jpg" } }