ToddyCat – An Elusive APT Targets Microsoft Exchange Servers!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

An Advanced Persistent Threat (APT) group, named ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government & military installations in Asia & Europe.

The campaigns, according to researchers, began in Dec. 2020, & have been largely badly understood in their complexity until recently.

The threat player targets institutions & companies in Europe & Asia.


“The 1st wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 & 443,” wrote Giampaolo Dedola Security Researcher at Kaspersky, in a report outlining the APT.

Researchers stated ToddyCat a is relatively new APT & there is “little information about this actor.”

Passive Backdoors

The APT uses 2 passive backdoors within the Exchange Server environment with malware called Samurai & Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware & network.

The Samurai malware was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan & Vietnam from Dec. 2020, reports Kaspersky.

Multiple Modules

The researchers stated that the malware “arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.”

In some cases, they explained, the Samurai backdoor lays the path to launch another malicious program called Ninja.


Aspects of ToddyCat’s threat activities were also tracked by cyber-security firm ESET, which dubbed the “cluster of activities” seen in the wild as Websiic. Meanwhile, researchers at GTSC identified another part of the group’s infection methodss & techniques in a report outlining the delivery of the malware’s dropper code.

“That said, as far as we know, none of the public accounts described sightings of the full infection chain or later stages of the malware deployed as part of this group’s operation,” Kaspersky wrote.

Multiple Strings of Attacks

During the period between Dec. 2020 & Feb. 2021, the 1st wave of attacks were conducted against the limited number of servers in Taiwan & Vietnam.

In the next period, between Feb. 2021 & May 2021, researchers observed a sudden surge in attacks. That’s when, they outlined, the threat player began abusing the ProxyLogon vulnerability to target organisations in multiple countries including Iran, India, Malaysia, Slovakia, Russia & the UK.

After May 2021, the researchers noticed the attributes linked to the same group which targets the previously mentioned countries as well as the military & Govt. organisations based in Indonesia, Uzbekistan & Kyrgyzstan. The attack appears in the 3rd wave is expanded to desktop systems while previously the scope was limited to Microsoft Exchange Servers only.

Attack Sequence

The attack sequence is initiated after the deployment of the China Chopper web shell attack sequence, which allows the dropper to execute & install the components & create multiple registry keys.

The registry modification in the prior step forces “svchost” to load a malicious library “iiswmi.dll” & performs its action to invoke the 3rd stage where a “.Net loader” executes & opens the Samurai backdoor.

According to the researchers, the Samurai backdoor is hard to detect during the reverse engineering process as it “switch cases to jump between instructions, thus flattening the control flow” & uses camouflage techniques.


In these incidents, the advanced tool Ninja was implemented by Samurai to co-ordinate & collaborate multiple operators to work simultaneously on the same machine. The researchers explained that the Ninja provides a large set of commands allowing an attacker to “control remote systems, avoid detection & penetrate deep inside a targeted network.”

Ninja has similarities to the other post-exploitation toolkit like Cobalt strike in terms of capabilities & features. It can “control the HTTP indicators & camouflage malicious traffic in HTTP requests that appear legitimate by modifying HTTP header & URL paths,” the researcher stated.

Activity Extend Over to Chinese APTs

Outlines the report, China-based hackers are targeting victims of the ToddyCat APT gang within the same time frame. In those cases, researchers observed the Chinese-language hackers use an Exchange backdoor called Funny Dream.

“This overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; & we observed the same targets compromised by both APTs in three different countries. Moreover, in all the cases there was a proximity in the staging locations & in one case they used the same directory,” researchers wrote.

The security researchers think that despite the ‘occasional proximity in staging locations,’ they do not have any real proof that shows the link between the 2 malware families.


“Despite the overlap, we do not feel confident merging ToddyCat with the Funny Dream cluster at the moment,” Kaspersky wrote. “Considering the high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups,” the report added.

“The affected organisations, both governmental & military, show that this group is focused on very high-profile targets & is probably used to achieve critical goals, likely related to geopolitical interests,” Kaspersky concluded.


More To Explore

Community Area


Home Workouts


spaghetti Bolognese