S1101: LoFiSe
Analyst context for executives and security teams
LoFiSe is a Windows malware entry associated in ATT&CK with identifying and collecting files of interest on targeted systems. Its business significance is data-risk triage: if this behavior appears during an incident, leaders should assume the adversary may be locating, staging, and preparing sensitive local files for removal, even where ATT&CK does not provide a separate exfiltration behavior for this object.
Executive priority
Prioritize readiness around sensitive-data discovery and collection on Windows endpoints. This object matters for incident scoping, legal/compliance evidence, and business continuity because file discovery, local data collection, staging, archiving, and DLL abuse can determine whether an intrusion is merely access or a potential data-loss event. Executives should ask whether SOC and IR teams can prove what files were accessed, copied, staged, or archived on affected hosts.
Technical view
Validate Windows endpoint coverage for the related behaviors: Data from Local System (T1005), Local Data Staging (T1074.001), File and Directory Discovery (T1083), Automated Collection (T1119), Archive Collected Data (T1560), and DLL abuse (T1574.001). Because ATT&CK provides no detection text for LoFiSe, detection engineering should focus on behavior chains rather than a single malware signature: unusual file enumeration, bulk file access or copying, creation of staging directories or consolidated files, archive creation around sensitive paths, and suspicious DLL loading or side-loading patterns on Windows systems.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- File system access, copy, creation, rename, and deletion events
- Archive file creation and compression/encryption utility execution
- Directory traversal or high-volume file enumeration activity
- DLL load events, module path metadata, and unsigned or unexpected DLL placement
Detection direction
- Correlate discovery followed by collection, staging, and archiving rather than alerting only on individual file-listing commands, which may be noisy.
- Tune for abnormal access to sensitive directories, unusual file type targeting, or bulk copy activity by uncommon processes on Windows endpoints.
- Review DLL search-order, side-loading, or unexpected DLL load patterns in directories writable by users or adjacent to unusual executables.
- Separate administrator, backup, indexing, and software deployment activity from suspicious collection behavior to reduce false positives.
- Use relationship context to build an incident timeline: discovery (T1083) preceding local collection (T1005/T1119), staging (T1074.001), archiving (T1560), and possible DLL abuse (T1574.001).
Mitigation priorities
- Confirm least-privilege access to sensitive local files and reduce unnecessary local data exposure on Windows systems.
- Harden endpoint controls around execution from user-writable paths and suspicious DLL loading behavior.
- Ensure EDR and logging retain enough file, process, and module-load evidence to support post-incident data exposure assessment.
- Limit and monitor use of compression and scripting utilities where feasible, especially on systems containing sensitive data.
- Prepare IR playbooks that include file-access scoping, staging-location searches, archive identification, and evidence preservation.
Analyst notes and limits
ATT&CK identifies LoFiSe as used by ToddyCat since at least 2023 to identify and collect files of interest. The strongest defensive value is mapping this software to collection and discovery behaviors, then validating whether the organization can observe and reconstruct those behaviors on Windows endpoints.
The supplied ATT&CK object has no official detection guidance, no aliases, and no explicit tactics listed on the malware object. Relationship context supplies relevant techniques, but local telemetry, baselines, and forensic evidence are required to determine whether activity is malicious or whether data was actually exfiltrated.
LoFiSe
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560 | Archive Collected Data | LoFiSe can collect files into password-protected ZIP-archives for exfiltration.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1083 | File and Directory Discovery | LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1574.001 | DLL Sub-technique | LoFiSe has been executed as a file named DsNcDiag.dll through side-loading.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | LoFiSe can save files to be evaluated for further exfiltration in the `C:\Programdata\Microsoft\` and `C:\windows\temp\` folders. CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1005 | Data from Local System | LoFiSe can collect files of interest from targeted systems.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1119 | Automated Collection | LoFiSe can collect all the files from the working directory every three hours and place them into a password-protected archive for further exfiltration.CitationKaspersky ToddyCat Check Logs October 2023 |
Groups, software, and campaigns
G1022: ToddyCat
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | df0aac1be751… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky ToddyCat Check Logs October 2023
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Open source URL -
[2]
mitre-attack S1101Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.