Multiple threats detected from December 2020 against high-profile entities in Europe and Asia are finally traced to be responsible by a new Advanced Persistent Threat (APT) actor. Not much information about this is not yet gathered but its noticeable signs are the use of 2 previously unknown tools named “Samurai Backdoor” and “Ninja Trojan”.

Since its start in December 2020, this threat managed to compromise selected Exchange Servers in Taiwan and Vietnam with the use of an unknown exploit leading to the creation of the well-known China Chopper Web Shell, which in turn used to initiate a multi-stage infection chain. Numerous components including custom loaders were found to be used in the final execution stage of passive backdoor samurai. Only 3 organizations were targeted at first by the group behind ToddyCat APT. But the count raised with the group exploiting the ProxyLogon vulnerability to compromise multiple servers across Europe and Asia.

It is suspected that the group started exploiting Exchange Servers in December 2020, but the information to confirm this is insufficient. The Samurai passive backdoor, a sophisticated backdoor that typically operates on ports 80 and 443, was used to hack Microsoft Exchange Servers, which were the only targets of the first wave of attacks.

During the period of the second wave, researchers found a sudden surge in the attacks. It is at this time the backdoor exploited the ProxyLogon vulnerability.

The attack surface in the third wave is noted the third wave increases the attack surface to include desktop systems, whereas the first two waves solely affected Microsoft Exchange Servers.