S1100: Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[1]
Analyst context for executives and security teams
Ninja is a Windows malware family associated in ATT&CK with ToddyCat and described as a C++ post-exploitation tool for penetrating networks and controlling remote systems. Its practical importance is not just the malware name: the mapped behaviors point to stealthy remote control, obfuscated command-and-control, host and network discovery, proxying, process injection, and Windows service persistence. For leaders, this is a reminder that coverage must be validated across endpoint, network, and incident response workflows, not only by file signatures.
Executive priority
Prioritize this as a post-compromise resilience scenario for Windows environments. Ask whether the organization can prove it collects the evidence needed to detect remote-control malware that blends into web traffic, uses proxy chains, hides artifacts, and persists as a service. The ATT&CK description references use against government and military entities in Europe and Asia and deployment by Samurai in specific infection chains, so threat intelligence teams should use this as context for sector and geography-aware prioritization without assuming local exposure.
Technical view
ATT&CK provides no official detection text for Ninja, so defenders should build behavior-based validation from the relationships. Key areas are command-and-control over web protocols, protocol or service impersonation, non-standard encoding, non-application-layer protocols, internal and multi-hop proxying; discovery of system, network, process, file, and directory information; stealth through encoded/encrypted or compressed files, deobfuscation, timestomping, masqueraded names or locations, process injection, native API use, Rundll32 abuse, and environmental keying; execution via malicious files; and persistence or privilege escalation through Windows services. Because the object platform is Windows, validation should focus on Windows endpoint and network telemetry first.
Likely telemetry
- Windows endpoint process creation, command-line, parent-child process, and module/DLL execution telemetry, especially for Rundll32 patterns
- Windows service creation, modification, service image path, recovery command, and related Registry configuration evidence
- EDR or host sensor evidence for process injection, suspicious native API use, and cross-process memory activity
- File creation and modification telemetry, including compressed, encrypted, encoded, or newly decoded artifacts
- Filesystem timestamp evidence, including anomalies consistent with timestomping where available
Detection direction
- Do not rely on a Ninja-specific signature alone; validate detections against the mapped ATT&CK behaviors because no official detection guidance is supplied.
- Correlate weak signals: discovery activity followed by obfuscated outbound traffic, service creation, Rundll32 execution, process injection indicators, or suspicious file timestamp changes is more meaningful than any single event.
- Tune Windows service and Rundll32 analytics carefully because both have legitimate administrative use; prioritize unusual paths, unexpected parents, rare command lines, and recent file creation or modification context.
- For C2, look for web traffic that does not behave like normal web traffic, non-standard encoding, protocol impersonation, internal proxying, or unexpected non-application-layer communications.
- Account for blind spots: encrypted or encoded payloads, compression, environmental keying, and timestomping can reduce the value of static file inspection and simple timestamp review.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, service, process, file, and network egress logging are collected and retained long enough for incident response.
- Harden persistence and execution paths by monitoring and controlling service creation/modification, Rundll32 abuse, and execution from suspicious or user-writable locations.
- Improve egress control and network visibility for web protocols, protocol impersonation, internal proxying, and unusual non-application-layer communications.
- Use endpoint controls capable of observing process injection and suspicious native API behavior, not only file reputation.
- Strengthen user-driven execution defenses and response processes for malicious-file execution scenarios.
Analyst notes and limits
This take is based on ATT&CK S1100, its official description, the Kaspersky external reference, and the supplied relationships. The most decision-useful pattern is Ninja’s role as Windows post-exploitation malware with relationships spanning C2 obfuscation, discovery, stealth, execution, proxying, and persistence. Local prioritization should consider whether the organization resembles the referenced target context, but sector references should not be interpreted as exclusive targeting.
ATT&CK supplies no official detection section, no aliases, no specified tactics on the malware object itself, and no environment-specific indicators here. The related techniques provide behavioral direction but do not prove that every behavior will appear in every intrusion. Local telemetry, baselines, and incident evidence are required to assess exposure or detection coverage.
Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1095 | Non-Application Layer Protocol | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1106 | Native API | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1029 | Scheduled Transfer | |
| Enterprise | T1574.001 | DLL Sub-technique | Ninja loaders can be side-loaded with legitimate and signed executables including the VLC.exe media player.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1001 | Data Obfuscation | |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | |
| Enterprise | T1680 | Local Storage Discovery | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Ninja loader components can be executed through rundll32.exe.CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1055 | Process Injection | |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1027.015 | Compression Sub-technique | |
| Enterprise | T1070.006 | Timestomp Sub-technique | |
| Enterprise | T1559 | Inter-Process Communication | |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique |
Groups, software, and campaigns
G1022: ToddyCat
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6f9565ea5e9a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky ToddyCat June 2022
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Open source URL -
[2]
mitre-attack S1100Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.