The sophisticated cyber espionage group, ToddyCat, has been identified as a significant and persistent threat, compromising Microsoft Exchange servers globally. Beginning its operations in late 2020, ToddyCat initially targeted organizations in Taiwan and Vietnam. However, its operational scope dramatically expanded in early 2021 by exploiting the widespread ProxyLogon vulnerability, impacting numerous organizations across Europe and Asia.
This notable shift in tactics allowed ToddyCat to transition from regional attacks to a more expansive, international campaign. The group has demonstrated remarkable technical prowess through its diversified attack infrastructure and its use of multiple malware variants, including the well-known China Chopper web shells and the Samurai backdoor, to establish initial access onto compromised systems. Further evolving its strategy, by September 2021, the group was observed distributing the Ninja Trojan loader via Telegram to infiltrate desktop systems in Central Asia.
More recently, in 2024, research indicates that ToddyCat has introduced increasingly complex tools, such as TCESB, specifically designed to exploit vulnerabilities within security products, signaling a continuous evolution in their capabilities and a drive to bypass existing defenses. Analysts from Picus Security have highlighted the group’s intricate methods for maintaining persistent access and conducting surveillance within target environments. The threat actors are adept at combining various execution techniques to evade detection and ensure operational security throughout their campaigns.
Credential Harvesting and Defense Evasion by ToddyCat
ToddyCat’s operational persistence is characterized by a sophisticated understanding of Windows security mechanisms. The group frequently uses scheduled tasks to automate the execution of data collection tools. They commonly employ PowerShell commands with bypass flags, such as powershell -exec bypass -command c445.ps1, to circumvent execution policies and enable malicious scripts located in directories like ProgramData to run continuously.
Their defense evasion techniques are particularly noteworthy, including the utilization of the Bring Your Own Vulnerable Driver (BYOVD) method. This involves installing vulnerable drivers, like DBUtilDrv2.sys, to manipulate kernel structures, thereby gaining elevated privileges and evading detection. Furthermore, ToddyCat extensively uses DLL side-loading. In this strategy, malicious versions of legitimate libraries are deployed, which then redirect function calls to execute hidden, malicious payloads. This tactic exploits how Windows loads libraries, allowing unauthorized code to run under the guise of trusted processes.
Methods for Accessing Sensitive Information
For credential access, ToddyCat employs methods to dump browser memory, specifically targeting saved passwords from popular browsers such as Chrome, Firefox, and Edge. They focus on extracting data from files like “Login Data” and “logins.json,” using PowerShell scripts to systematically collect these authentication credentials. The group also targets OAuth tokens from Microsoft 365 applications, which can grant them access to sensitive cloud resources.
Upon completion of data collection, the compromised information is compressed using WinRAR with encryption before being exfiltrated through their command and control channels. This multifaceted approach to data exfiltration, combined with their robust evasion techniques, underscores the significant threat posed by ToddyCat to enterprise security infrastructures. The ongoing sophistication of their TCESB exploits, for instance, suggests a proactive approach to identifying and leveraging new vulnerabilities in security software.
The continuous evolution of ToddyCat’s tactics, techniques, and procedures indicates a sustained and adaptive threat to organizations relying on Microsoft Exchange and other networked systems. The group’s ability to leverage both known vulnerabilities like ProxyLogon and potentially unknown zero-day exploits, coupled with sophisticated evasion and data exfiltration methods, necessitates ongoing vigilance and adaptation of defensive strategies by cybersecurity professionals.