New ToddyCat APT targets high-profile entities in Europe and Asia

Pierluigi Paganini June 21, 2022

Researchers linked a new APT group, tracked as ToddyCat, to a series of attacks targeting entities in Europe and Asia since at least December 2020.

Researchers from Kaspersky have linked a new APT group, tracked as ToddyCat, to a series of attacks aimed at high-profile entities in Europe and Asia since at least December 2020.

The threat actors initially launched a cyber espionage campaign against entities in Taiwan and Vietnam, the APT was observed targeting Microsoft Exchange servers with a zero-day exploit.

The attackers leveraged the exploit to establish the China Chopper web shell on the target systems, a malicious code commonly used by China-linked threat actors. This tool allows threat actors to install a PHP, ASP, ASPX, JSP, and CFM webshells (backdoor) on publicly exposed web servers. Once the China Chopper Web Shell is installed, the attackers gain full access to a remote server through the exposed website. ToddyCat used the web shell to start the multi-stage attack chain that involved, the Samurai backdoor, and the ‘Ninja Trojan’.


From February 26 until early March, the attackers started exploiting the ProxyLogon vulnerability in attacks aimed at organizations across Europe and Asia.

“We suspect that this group started exploiting the Microsoft Exchange vulnerability in December 2020, but unfortunately, we don’t have sufficient information to confirm the hypothesis. In any case, it’s worth noting that all the targeted machines infected between December and February were Microsoft Windows Exchange servers; the attackers compromised the servers with an unknown exploit, with the rest of the attack chain the same as that used in March.” reads the analysis published by Kaspersky.

The first wave of attacks exclusively aimed at Microsoft Exchange Servers that were compromised with the sophisticated passive backdoor Samurai.

The Samurai backdoor is able to execute C# code and has a modular architecture, it allows operators to fully control the target system. The malware also allows to perform lateral movements and load other malicious payloads, including an unknown post-exploitation toolkit dubbed Ninja.

According to Kaspersky, Ninja is a collaborative tool used by the APT group to allow multiple operators to work on the same machine simultaneously. It provides a large set of commands to remotely control the infected systems, avoid detection and perform a broad range of malicious activities.

Researchers observed other attacks associated to this APT against entities in multiple countries, including Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the U.K., and Uzbekistan.

“ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile.” concludes Kaspersky. “we were unable to attribute the attacks to a known group; and there is also quite a bit of technical information about the operations that we don’t have. The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests. Based on our telemetry, the group shows a strong interest in targets in Southeast Asia, but their activities also impact targets in the rest of Asia and Europe.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ToddyCat)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment