G1022: ToddyCat
Analyst context for executives and security teams
ToddyCat matters as a planning case for targeted, multi-stage intrusions where custom malware, common administration utilities, web shells, credential use, discovery, lateral movement, collection, staging, and exfiltration can blend into normal enterprise operations. ATT&CK does not provide group-level platforms, tactics, or detection guidance for this object, but the linked software and techniques point defenders toward validating Windows administration telemetry, domain account activity, SMB/WMI movement, file discovery, staging, and outbound transfer evidence.
Executive priority
For leadership, the decision value is not to treat ToddyCat as a single malware alert. The ATT&CK relationships show a chain of behaviors that can stress identity governance, Windows endpoint visibility, log retention, incident response readiness, and evidence needed for audit or post-incident review. Priority questions: can the organization prove who used domain accounts, where remote administration occurred, what files were collected or staged, and whether data left the environment?
Technical view
SOC and IR teams should map coverage across the related behaviors: China Chopper web shell presence, use of Windows utilities such as Net, Ping, and netstat, Cobalt Strike-like post-exploitation activity, ToddyCat-associated Samurai, Ninja, LoFiSe, and Pcexter, and techniques including PowerShell, Windows command shell, WMI, scheduled tasks, SMB/admin shares, domain account and group discovery, file/directory discovery, local data collection, remote staging, and exfiltration-oriented tooling. Because official detection text is not provided, validation should rely on local telemetry testing, baseline comparisons, and correlation across identity, endpoint, network, and server logs rather than a single indicator.
Likely telemetry
- Endpoint process creation and command-line logging for PowerShell, cmd, Net, Ping, netstat, schtasks, and WMI-related execution
- Windows security events for domain account logons, privileged group queries, and remote authentication
- SMB/admin share access logs and file share auditing
- Scheduled task creation, modification, and execution records
- Web server logs and file integrity evidence relevant to web shell placement such as China Chopper
Detection direction
- Correlate discovery commands, domain enumeration, remote execution, SMB access, and file staging instead of treating each utility execution as independently malicious.
- Tune detections for unusual use of legitimate Windows administration tools by non-admin users, outside normal maintenance windows, or from atypical hosts.
- Validate visibility into WMI, PowerShell, command shell, and scheduled tasks; these are common blind spots when only basic endpoint logging is enabled.
- Review web-facing server monitoring for web shell indicators and unexpected server-side scripts or files, especially where China Chopper-like behavior would not require a victim host to call back.
- Use identity context to distinguish expected administration from suspicious domain account use, group discovery, and lateral movement.
Mitigation priorities
- Start with identity controls: least privilege for domain accounts, strong authentication where applicable, privileged access review, and monitoring of admin group membership and remote logons.
- Harden and monitor remote administration paths, especially SMB/admin shares, WMI, PowerShell, command shell, and scheduled tasks.
- Improve endpoint and server logging before relying on signatures, since the official ATT&CK object does not provide detection logic.
- Segment critical systems and restrict unnecessary lateral movement paths between workstations, servers, and sensitive file repositories.
- Strengthen web server hardening and file integrity monitoring where web shells would create durable access.
Analyst notes and limits
This take is based on the ATT&CK ToddyCat group object and its supplied relationships. The object describes ToddyCat as active since at least 2020, using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia, with references to Kaspersky reporting. Relationship context links the group to Windows-oriented tools and malware such as Samurai, Ninja, LoFiSe, Pcexter, China Chopper, Net, and Cobalt Strike, plus discovery, execution, lateral movement, credential/account abuse, collection, staging, and local data access techniques.
ATT&CK provides no official detection text, no group-level platforms, and no group-level tactics in the supplied fields. Related techniques include platforms beyond Windows, while several related software objects are Windows-focused; local asset scope must determine relevance. This summary does not establish current activity, attribution beyond the ATT&CK group object, customer exposure, or guaranteed detection coverage.
ToddyCat
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1686 | Disable or Modify System Firewall | Prior to executing a backdoor ToddyCat has run `cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683` to allow the targeted system to receive UDP packets on port 49683.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1005 | Data from Local System | ToddyCat has run scripts to collect documents from targeted hosts.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | ToddyCat has executed `net group "domain admins" /dom` for discovery on compromised machines.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | |
| Enterprise | T1087.002 | Domain Account Sub-technique | ToddyCat has run `net user %USER% /dom` for account discovery.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1095 | Non-Application Layer Protocol | ToddyCat has used a passive backdoor that receives commands with UDP packets.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | ToddyCat has used compromised domain admin credentials to mount local network shares.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1106 | Native API | ToddyCat has used `WinExec` to execute commands received from C2 on compromised hosts.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1057 | Process Discovery | ToddyCat has run `cmd /c start /b tasklist` to enumerate processes.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1018 | Remote System Discovery | ToddyCat has used `ping %REMOTE_HOST%` for post exploit discovery.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1049 | System Network Connections Discovery | ToddyCat has used `netstat -anop tcp` to discover TCP connections to compromised hosts.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | ToddyCat has used locally mounted network shares for lateral movement through targated environments.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ToddyCat has used .bat scripts and `cmd` for execution on compromised hosts.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1190 | Exploit Public-Facing Application | ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | ToddyCat has used a DropBox uploader to exfiltrate stolen files.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | ToddyCat can determine is Kaspersky software is running on an endpoint by running `cmd /c wmic process where name="avp.exe"`.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | ToddyCat has used Powershell scripts to perform post exploit collection.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | ToddyCat has hidden malicious scripts using `powershell.exe -windowstyle hidden`. CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1083 | File and Directory Discovery | ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | ToddyCat manually transferred collected files to an exfiltration host using xcopy.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1047 | Windows Management Instrumentation | ToddyCat has used WMI to execute scripts for post exploit document collection.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | ToddyCat has used the name `debug.exe` for malware components.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1680 | Local Storage Discovery | ToddyCat has collected information on bootable drives including model, vendor, and serial numbers.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | ToddyCat has leveraged xcopy, 7zip, and RAR to stage and compress collected documents prior to exfiltration.CitationKaspersky ToddyCat Check Logs October 2023 |
Groups, software, and campaigns
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S1101: LoFiSe
S0020: China Chopper
S0104: netstat
S0097: Ping
S1102: Pcexter
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S1099: Samurai
S1100: Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 185e28022b0e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky ToddyCat June 2022
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Open source URL -
[2]
Kaspersky ToddyCat Check Logs October 2023
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Open source URL -
[3]
mitre-attack G1022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.