Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1102: Pcexter

Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files.[1]

EnterpriseS1102MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Pcexter matters because it is described as a Windows uploader used to exfiltrate stolen files. For leaders, the practical issue is not the malware name alone, but whether the organization can prove it would notice sensitive file discovery, local data collection, DLL abuse, and outbound transfer to cloud storage before data loss becomes an incident-response and disclosure problem.

Executive priority

Treat Pcexter as a data-loss readiness test case. Security leaders should ask whether SOC, cloud security, and incident response teams have usable evidence for Windows host activity, file access patterns, DLL loading behavior, and outbound cloud-storage traffic. This is relevant to business continuity, legal/compliance evidence, and incident decision-making because the ATT&CK relationship context centers on discovery, collection, and exfiltration rather than only initial access.

Technical view

The official object has no ATT&CK detection text, so validation should be relationship-driven. For Windows environments, confirm visibility for File and Directory Discovery (T1083), Data from Local System (T1005), Exfiltration to Cloud Storage (T1567.002), and DLL abuse (T1574.001). SOC teams should correlate unusual file enumeration or access with process lineage, DLL load activity, and network connections to cloud storage services. IR teams should be prepared to scope what files were accessed and whether outbound transfers occurred.

Likely telemetry

  • Windows endpoint process execution and process lineage
  • File and directory access or enumeration events where available
  • DLL load and image/module load telemetry
  • Endpoint security alerts or EDR observations for suspicious uploader-like behavior
  • Network proxy, firewall, DNS, and TLS metadata for outbound cloud-storage connections

Detection direction

  • Do not rely on malware name matching alone; the supplied ATT&CK object does not provide detection logic.
  • Tune for sequences: file/directory discovery followed by local file access and outbound transfer to cloud storage from the same host or user context.
  • Review false positives from legitimate backup, sync, administrative collection, and sanctioned cloud-storage tools.
  • Validate DLL monitoring coverage on Windows, especially where side-loading or unusual DLL load paths could be material.
  • Confirm whether cloud-storage traffic is attributable to host, user, process, and destination; lack of process-to-network correlation is a likely blind spot.

Mitigation priorities

  • Prioritize least-privilege access to sensitive local files and repositories so a compromised endpoint has less data to collect.
  • Restrict and monitor unsanctioned cloud-storage use where business requirements allow.
  • Harden Windows endpoint controls around suspicious DLL loading behavior and untrusted executable paths.
  • Ensure incident response playbooks include file-access scoping and exfiltration assessment, not just malware removal.
  • Maintain logging retention sufficient to reconstruct discovery, collection, and outbound transfer activity.
Analyst notes and limits

MITRE identifies Pcexter as an uploader used by ToddyCat since at least 2023 to exfiltrate stolen files, with relationships to T1005, T1083, T1567.002, and T1574.001. The strongest defensive value is using those relationships to test whether data staging and exfiltration behaviors are visible across endpoint, network, and cloud-control planes.

The ATT&CK object provides no official detection guidance, no aliases, and no tactics directly on the malware object. Local conclusions require environment-specific telemetry, baselines for legitimate cloud storage and file access, and any available indicators from the cited external reporting.

Official MITRE ATT&CK definition

Pcexter

Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1083 File and Directory Discovery

Pcexter has the ability to search for files in specified directories.CitationKaspersky ToddyCat Check Logs October 2023
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

Pcexter can upload stolen files to OneDrive storage accounts via HTTP `POST`.CitationKaspersky ToddyCat Check Logs October 2023
Enterprise T1574.001 DLL Sub-technique

Pcexter has been distributed and executed as a DLL file named Vspmsg.dll via DLL side-loading.CitationKaspersky ToddyCat Check Logs October 2023
Enterprise T1005 Data from Local System

Pcexter can upload files from targeted systems.CitationKaspersky ToddyCat Check Logs October 2023
Associated objects

Groups, software, and campaigns

Group Enterprise

G1022: ToddyCat

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1083: File and Directory Discovery Enterprise uses · Group G1022: ToddyCat Enterprise uses · Technique T1567.002: Exfiltration to Cloud Storage Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1005: Data from Local System Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6c5b6d6d418f003f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6c5b6d6d418f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky ToddyCat Check Logs October 2023

    Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.

    Open source URL
  2. [2]
    mitre-attack S1102
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use