ToddyCat APT unveiled

ToddyCat APT unveiled

Multiple threats detected from December 2020 against high-profile entities in Europe and Asia are finally traced to be responsible by a new Advanced Persistent Threat (APT) actor. Not much information about this is not yet gathered but its noticeable signs are the use of 2 previously unknown tools named “Samurai Backdoor” and “Ninja Trojan”.

Since its start in December 2020, this threat managed to compromise selected Exchange Servers in Taiwan and Vietnam with the use of an unknown exploit leading to the creation of the well-known China Chopper Web Shell, which in turn used to initiate a multi-stage infection chain. Numerous components including custom loaders were found to be used in the final execution stage of passive backdoor samurai. Only 3 organizations were targeted at first by the group behind ToddyCat APT. But the count raised with the group exploiting the ProxyLogon vulnerability to compromise multiple servers across Europe and Asia.

It is suspected that the group started exploiting Exchange Servers in December 2020, but the information to confirm this is insufficient. The Samurai passive backdoor, a sophisticated backdoor that typically operates on ports 80 and 443, was used to hack Microsoft Exchange Servers, which were the only targets of the first wave of attacks.

During the period of the second wave, researchers found a sudden surge in the attacks. It is at this time the backdoor exploited the ProxyLogon vulnerability.


The attack surface in the third wave is noted the third wave increases the attack surface to include desktop systems, whereas the first two waves solely affected Microsoft Exchange Servers.

Credits: Kaspersky

Security researchers say that there is only a little information is available about this threat actor.

As mentioned earlier in this blog, the APT leverages 2 passive backdoors in the Exchange server environment with malware called Samurai and Ninja and takes complete control of the victim’s hardware and network. The Samurai malware uses multiple modules that allow the attackers to take control of the remote systems and freely move inside the targeted network. In some cases, Samurai backdoor lays a path to launch another malicious program called Ninja.

The affected governmental and military groups demonstrate that this group is focused on highly prominent targets and is likely employed to accomplish important objectives, most likely connected to geopolitical interests.