S1100: Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[1]
Analyst context for executives and security teams
Ninja is a Windows malware family associated in ATT&CK with ToddyCat and described as a C++ post-exploitation tool for penetrating networks and controlling remote systems. Its practical importance is not just the malware name: the mapped behaviors point to stealthy remote control, obfuscated command-and-control, host and network discovery, proxying, process injection, and Windows service persistence. For leaders, this is a reminder that coverage must be validated across endpoint, network, and incident response workflows, not only by file signatures.
Executive priority
Prioritize this as a post-compromise resilience scenario for Windows environments. Ask whether the organization can prove it collects the evidence needed to detect remote-control malware that blends into web traffic, uses proxy chains, hides artifacts, and persists as a service. The ATT&CK description references use against government and military entities in Europe and Asia and deployment by Samurai in specific infection chains, so threat intelligence teams should use this as context for sector and geography-aware prioritization without assuming local exposure.
Technical view
ATT&CK provides no official detection text for Ninja, so defenders should build behavior-based validation from the relationships. Key areas are command-and-control over web protocols, protocol or service impersonation, non-standard encoding, non-application-layer protocols, internal and multi-hop proxying; discovery of system, network, process, file, and directory information; stealth through encoded/encrypted or compressed files, deobfuscation, timestomping, masqueraded names or locations, process injection, native API use, Rundll32 abuse, and environmental keying; execution via malicious files; and persistence or privilege escalation through Windows services. Because the object platform is Windows, validation should focus on Windows endpoint and network telemetry first.
Likely telemetry
- Windows endpoint process creation, command-line, parent-child process, and module/DLL execution telemetry, especially for Rundll32 patterns
- Windows service creation, modification, service image path, recovery command, and related Registry configuration evidence
- EDR or host sensor evidence for process injection, suspicious native API use, and cross-process memory activity
- File creation and modification telemetry, including compressed, encrypted, encoded, or newly decoded artifacts
- Filesystem timestamp evidence, including anomalies consistent with timestomping where available
Detection direction
- Do not rely on a Ninja-specific signature alone; validate detections against the mapped ATT&CK behaviors because no official detection guidance is supplied.
- Correlate weak signals: discovery activity followed by obfuscated outbound traffic, service creation, Rundll32 execution, process injection indicators, or suspicious file timestamp changes is more meaningful than any single event.
- Tune Windows service and Rundll32 analytics carefully because both have legitimate administrative use; prioritize unusual paths, unexpected parents, rare command lines, and recent file creation or modification context.
- For C2, look for web traffic that does not behave like normal web traffic, non-standard encoding, protocol impersonation, internal proxying, or unexpected non-application-layer communications.
- Account for blind spots: encrypted or encoded payloads, compression, environmental keying, and timestomping can reduce the value of static file inspection and simple timestamp review.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, service, process, file, and network egress logging are collected and retained long enough for incident response.
- Harden persistence and execution paths by monitoring and controlling service creation/modification, Rundll32 abuse, and execution from suspicious or user-writable locations.
- Improve egress control and network visibility for web protocols, protocol impersonation, internal proxying, and unusual non-application-layer communications.
- Use endpoint controls capable of observing process injection and suspicious native API behavior, not only file reputation.
- Strengthen user-driven execution defenses and response processes for malicious-file execution scenarios.
Analyst notes and limits
This take is based on ATT&CK S1100, its official description, the Kaspersky external reference, and the supplied relationships. The most decision-useful pattern is Ninja’s role as Windows post-exploitation malware with relationships spanning C2 obfuscation, discovery, stealth, execution, proxying, and persistence. Local prioritization should consider whether the organization resembles the referenced target context, but sector references should not be interpreted as exclusive targeting.
ATT&CK supplies no official detection section, no aliases, no specified tactics on the malware object itself, and no environment-specific indicators here. The related techniques provide behavioral direction but do not prove that every behavior will appear in every intrusion. Local telemetry, baselines, and incident evidence are required to assess exposure or detection coverage.
Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1095 | Non-Application Layer Protocol | Ninja can forward TCP packets between the C2 and a remote host.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1016 | System Network Configuration Discovery | Ninja can enumerate the IP address on compromised systems.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Ninja has been distributed to victims via the messaging app Telegram.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Ninja has gained execution through victims opening malicious executable files embedded in zip archives.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1083 | File and Directory Discovery | Ninja has the ability to enumerate directory content.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1106 | Native API | The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Ninja can XOR and AES encrypt C2 messages.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1029 | Scheduled Transfer | Ninja can configure its agent to work only in specific time frames.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1574.001 | DLL Sub-technique | Ninja loaders can be side-loaded with legitimate and signed executables including the VLC.exe media player.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1082 | System Information Discovery | Ninja can obtain the computer name and information on the OS from targeted hosts.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | The Ninja loader component can decrypt and decompress the payload.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1001 | Data Obfuscation | Ninja has the ability to modify headers and URL paths to hide malicious traffic in HTTP requests.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Ninja has the ability to use a proxy chain with up to 255 hops when using TCP.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | Ninja can store its final payload in the Registry under `$HKLM\SOFTWARE\Classes\Interface\` encrypted with a dynamically generated key based on the drive’s serial number.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Ninja can proxy C2 communications including to and from internal agents without internet connectivity.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1680 | Local Storage Discovery | Ninja can obtain information on physical drives from targeted hosts.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Ninja loader components can be executed through rundll32.exe.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1055 | Process Injection | Ninja has the ability to inject an agent module into a new process and arbitrary shellcode into running processes.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Ninja can create the services `httpsvc` and `w3esvc` for persistence .CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1057 | Process Discovery | Ninja can enumerate processes on a targeted host.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Ninja has the ability to mimic legitimate services with customized HTTP URL paths and headers to hide malicious traffic.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Ninja can use HTTP for C2 communications.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1027.015 | Compression Sub-technique | Ninja has compressed its data with the LZSS algorithm.CitationKaspersky ToddyCat June 2022CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Ninja can change or create the last access or write times.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1559 | Inter-Process Communication | Ninja can use pipes to redirect the standard input and the standard output.CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Ninja can encode C2 communications with a base64 algorithm using a custom alphabet.CitationKaspersky ToddyCat June 2022 |
Groups, software, and campaigns
G1022: ToddyCat
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6f9565ea5e9a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky ToddyCat June 2022
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Open source URL -
[2]
mitre-attack S1100Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.