Home/Threat Actor/ToddyCat
Threat Actor

ToddyCat

toddycat · china · active since 2020-12

ToddyCat (Websiic / Storm-0247 / G1022) is a suspected China-aligned advanced persistent threat group operationally active since at least December 2020, first publicly disclosed by Kaspersky GReAT (Giampaolo Dedola) on June 21, 2022 after over 18 months of undetected operations.

despite consistent China-speaking-actor TTPs, victim overlap with FunnyDream operators, and target-profile alignment with PRC regional intelligence priorities, no formal government attribution has been published, Kaspersky explicitly noted inability to attribute the cluster to other known actors.

initial targeting (December 22, 2020) compromised three organizations' Microsoft Exchange servers in Taiwan and Vietnam using an unidentified vulnerability (likely pre-disclosure ProxyLogon access given infection-chain reuse), with aggressive ProxyLogon-based expansion starting February 26, 2021 into Europe and Asia (Russia, India, Iran, UK, Indonesia, Uzbekistan, Kyrgyzstan added 2021-2022) and September 2021 expansion from Exchange servers to desktop systems of government and diplomatic entities in Central Asia via Telegram-delivered Ninja-trojan ZIP archives.

tradecraft hallmarks include the Samurai signature passive C# .NET HTTPListener backdoor on ports 80/443 executing runtime-decrypted C# source code, the Ninja C++ post-exploitation toolkit with collaborative-multi-operator design and Cobalt-Strike-like pivot listeners with Malleable-C2-like camouflage profiles, registry manipulation forcing svchost.exe to load Samurai at startup, DLL side- loading via VLC media player, a passive UDP backdoor, a multi-tunnel access-resilience architecture (reverse SSH + SoftEther VPN + Ngrok cloud-infrastructure C2 redirection), Bring Your Own Vulnerable Driver via the TCESB tool exploiting ESET security scanners, industrial-scale data-theft tooling (TomBerBil PowerShell credential harvester from domain controllers, Cuthead file-search and archive collection, WAExp WhatsApp Web browser local-storage exfiltration, TCSectorCopy direct volume access bypassing Outlook PST/OST file locks, SharpTokenFinder M365 OAuth 2.0 token theft), executable masquerading (VPN servers renamed as Kaspersky or Lenovo updates), AES-128 payload encryption, and scheduled- task-driven recurring collection, targets are overwhelmingly government, diplomatic, and military entities including defense contractors across Asia-Pacific, Central Asia, and Europe, with Kaspersky April 2024 characterizing the cluster as conducting industrial-scale data theft.

china confidence: high 9 aliases MITRE ATT&CK G1022 ↗
Sigma rules200 YARA rules59 Live IOCs16 CVEs exploited8

Profile

ToddyCat (Websiic / Storm-0247 / G1022) is a suspected China-aligned advanced persistent threat group operationally active since at least December 2020, first publicly disclosed by Kaspersky GReAT (Giampaolo Dedola) on June 21, 2022 after over 18 months of undetected operations. Despite consistent China-speaking-actor TTPs, victim overlap with confirmed Chinese clusters (notably FunnyDream operators), and target- profile alignment with PRC regional intelligence priorities, no formal government attribution has been published, Kaspersky explicitly noted in its initial disclosure that the cluster could not be attributed to other known actors. Initial targeting (December 22, 2020) compromised three organizations' Microsoft Exchange servers in Taiwan and Vietnam using an unidentified Exchange vulnerability, likely pre-disclosure ProxyLogon access given the infection-chain reuse with later confirmed ProxyLogon operations. Starting February 26, 2021, the group expanded aggressively via publicly-disclosed ProxyLogon (CVE-2021-26855 et al.) into high-profile organizations across Europe and Asia (Russia, India, Iran, UK, Indonesia, Uzbekistan, Kyrgyzstan added 2021-2022). September 2021 expansion from Exchange servers to desktop systems of government and diplomatic entities in Central Asia via Telegram-delivered Ninja-trojan ZIP archives, a significant tradecraft shift to direct individual targeting via messaging applications. Tradecraft hallmarks distinguish ToddyCat as a mid-to-high- sophistication China-aligned cluster with distinctive operational creativity: (a) The Samurai backdoor, ToddyCat's signature passive C# backdoor using .NET HTTPListener class to receive HTTP POST requests on ports 80/443, executing encrypted C# source code decrypted and compiled at runtime. Modular architecture supporting lateral movement, file exfiltration, and proxy connections. Heavy obfuscation with control-flow flattening and case-statement jumps to defeat reverse engineering. (b) The Ninja trojan, ToddyCat's signature C++ post- exploitation toolkit, possibly part of an unknown post- exploitation framework exclusive to the cluster. Collaborative-multi-operator design (multiple attackers working simultaneously on the same compromised machine), Cobalt-Strike-like pivot listeners (limiting direct external connections from compromised networks), and Malleable-C2-like profiles for HTTP/HTTPS camouflage with modifiable headers and URL paths to mimic legitimate traffic. (c) Registry manipulation forcing svchost.exe to load the Samurai backdoor at startup (T1112 + T1547), durable persistence under a trusted Windows process. (d) DLL side-loading via legitimate applications including VLC media player (T1574.002). (e) Passive UDP backdoor as additional signature implant, listens for incoming UDP packets on a specific port (T1095). (f) Multi-tunnel access-resilience architecture, reverse SSH tunnels (T1021.004), SoftEther VPN (supporting OpenVPN, L2TP/IPSec, and other protocols), and Ngrok agent for cloud-infrastructure C2 redirection. Multiple simultaneous tunnels ensure access even if any single tunnel is discovered. (g) Bring Your Own Vulnerable Driver (BYOVD), the TCESB tool exploits vulnerabilities in ESET security scanners, targeting security software itself as a defense-evasion vector (relatively rare tradecraft even among state-actor clusters). (h) Industrial-scale data theft tooling, TomBerBil (Chrome/Edge/Firefox PowerShell credential harvester from domain controllers), Cuthead (file-search and archive collection by extension or keyword), WAExp (WhatsApp Web browser local-storage exfiltration capturing profile details, chat data, phone numbers, session data), TCSectorCopy (direct volume access bypassing file locks on Outlook PST/OST data, T1006), SharpTokenFinder (Microsoft 365 OAuth 2.0 token theft, T1528). (i) Executable masquerading, renaming VPN-server executables to resemble Kaspersky or Lenovo updates (T1036.005); changing OpenSSH private keys to .ini or .dat extensions to hide their nature.

AES-128 payload encryption. (j) Scheduled-task-driven recurring collection (T1053.005), periodic execution of discovery and data-collection commands rather than continuous beaconing, blending into normal enterprise scheduled-task traffic. Targets are overwhelmingly government, diplomatic, and military entities, including defense contractors, across Asia-Pacific, Central Asia, and Europe. Per Kaspersky April 2024, the cluster conducts industrial-scale data theft from these target classes. Among the most operationally creative China-aligned clusters in the public corpus despite the absence of formal government attribution and the limited public information about the cluster's command-and-control operators.

Aliases

9
toddycattoddy_cattoddy catwebsiicstorm-0247storm 0247storm_0247funnydream_overlapg1022

Notable Campaigns

9
2025-2026Sustained Government-and-Defense Operations (2025-2026)
2024-2025TCESB BYOVD ESET-Scanner Exploitation (2024-2025)
2024Industrial-Scale Data Theft Disclosure (Kaspersky April 2024)
2024Microsoft 365 OAuth Token Theft Pivot (2024)
2023ToddyCat: Keep Calm and Check Logs (Kaspersky October 12, 2023)
2022Kaspersky Initial Public Disclosure (June 21, 2022)
2021ProxyLogon Rapid Expansion (February 26, 2021+)
2021Central Asia Desktop Systems Expansion (September 2021)
2020Initial Microsoft Exchange Targeting (December 22, 2020)

Attribution & Reporting

Attributed by
Kaspersky GReATKaspersky LabMicrosoft Threat Intelligence Center (MSTIC)Trend MicroSOC PrimePicus SecuritySecurityScorecardSecurityWeekDark ReadingBleeping ComputerThe Hacker NewsCSO OnlineIonut Arghire (SecurityWeek)Securelist (Kaspersky)MITRE (G1022 designation)
Key reporting
reportKaspersky GReAT / Securelist: ToddyCat, Unveiling an Unknown APT Actor Attacking High-Profile Entities in Europe and Asia (Giampaolo Dedola, June 21, 2022)
reportKaspersky GReAT / Securelist: ToddyCat, Keep Calm and Check Logs (Giampaolo Dedola et al., October 12, 2023)
reportKaspersky GReAT / Securelist: ToddyCat Traffic Tunneling and Data-Extraction Tools (April 2024)
reportKaspersky GReAT / Securelist: ToddyCat TCESB Stealth Execution via ESET (2024-2025)
reportKaspersky Press Release: ToddyCat, An Advanced Threat Actor Targets High-Profile Entities with New Malware (June 2022)
reportSOC Prime: ToddyCat APT Targets Microsoft Exchange Servers to Deploy Samurai Backdoor and Ninja Trojan (June 2022)
reportPicus Security: Dissecting ToddyCat Cyber Espionage and MITRE TTPs
reportSecurityWeek: New ToddyCat APT Targets High-Profile Entities in Europe, Asia (Ionut Arghire, June 22, 2022)
reportDark Reading: ToddyCat APT Is Stealing Data on Industrial Scale (April 2024)
reportCSO Online: APT Actor ToddyCat Hits Government and Military Targets in Europe and Asia (Lucian Constantin, June 22, 2022)
reportBleeping Computer: ToddyCat APT Stealing Data on Industrial Scale (April 2024)
reportThe Hacker News: Researchers Uncover ToddyCat APT Group (June 2022)
reportSecurity Scientist: ToddyCat G1022 APT Group, 12 Key Questions Answered
reportMITRE ATT&CK: Group G1022 ToddyCat
reportMITRE ATT&CK: Software S1099 Samurai
reportMITRE ATT&CK: Software S1100 Ninja
reportMalpedia: ToddyCat Actor Profile
reportCouncil on Foreign Relations: ToddyCat Cyber Operations Tracker
reportEuRepoC: APT Profile, ToddyCat

Operational

State sponsor

Suspected China-aligned advanced persistent threat group. Vendor reporting (Kaspersky, Trend Micro, Picus, SOC Prime) consistently observes Chinese-speaking-actor TTPs, victim overlap with confirmed Chinese APT clusters (notably FunnyDream operators), and target-profile alignment with PRC regional intelligence priorities, but no formal government attribution to a specific PRC ministry or unit has been published. Kaspersky's June 2022 initial disclosure explicitly noted inability to attribute the cluster to other known actors despite victim overlap with Chinese-speaking groups.

Motivations
espionage, intelligence_gathering, government_intelligence, military_intelligence, geopolitical_collection, long_term_access_positioning, industrial_scale_data_theft, credential_harvesting, browser_data_theft, microsoft_365_token_theft
Sectors
governmentgovernment_agenciesdiplomaticforeign_ministriesmilitarydefensemilitary_contractorsdefense_industrial_baseintelligence_agenciescritical_infrastructuretelecommunicationsit_service_providersresearch_instituteshigher_educationenergyutilities
Regions
taiwanvietnamrussiaindiairanunited_kingdomindonesiauzbekistankyrgyzstankazakhstantajikistanturkmenistanmongoliathailandphilippinesmalaysiasingaporebangladeshpakistanafghanistanturkeycentral_asiasoutheast_asiaeuropeeastern_europeasia_pacific

Techniques Used

60
T1003T1003.001T1003.002T1003.005T1005T1006T1008T1012T1014T1016T1018T1021T1021.001T1021.002T1021.004T1027T1027.001T1027.002T1027.005T1027.010T1027.013T1029T1033T1036T1036.005T1036.008T1041T1047T1048T1048.003T1049T1053T1053.005T1055T1055.001T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1071.003T1071.004T1074T1074.001T1078T1078.002T1078.003T1078.004T1082T1083T1087

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)32/60 · 53%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)12/60 · 20%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

11 mapped
S0002 · MimikatzS0020 · China ChopperS0029 · PsExecS0039 · NetS0075 · RegS0096 · SysteminfoS0160 · certutilS0190 · BITSAdminS0349 · LaZagneS1099 · SamuraiS1100 · Ninja
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETERSHARPTOKENFINDERSHARP TOKEN FINDERSOFTETHERSOFTETHER VPN

CVEs Exploited

8
CVECVE-2021-26855
CVECVE-2021-26857
CVECVE-2021-26858
CVECVE-2021-27065
CVECVE-2021-31207
CVECVE-2021-34473
CVECVE-2021-34523
CVECVE-2024-1709
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin