Not SimonApr 22, 2024

Kaspersky reports on TTPs used by the cyberespionage group ToddyCat, an APT with little history and not currently attributed to any country. ToddyCat uses LoFiSe and PcExter for collecting and exfiltrating flies. They used reverse SSH tunnel to maintain access, server utility (VPN Server) from the SoftEther VPN, Ngrok agent and Krong (proxy), FRP client (fast reverse proxy), a new tool called Cuthead for data collection, WAExp (WhatsApp data stealer), and TomBerBil for stealing passwords from browsers. IOC included. 🔗 https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/

#ToddyCat #cyberespionage #APT #threatintel #IOC

ToddyCat is making holes in your infrastructure

We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.

Kaspersky
Show threadBrian ClarkApr 22, 2024
@simontsui Goid report, thx for sharing. Interesting how fastidious the threat actors were about maintaining persistence. Three separate and independent remote access methods!
Show threadNot Simon
@deepthoughts10 I had to go back to the original article to see any mentions to China. After the iSoon leaks, I suspect ToddyCat is yet another hackers-for-hire company in China's private industry.
Apr 22, 2024 at 11:37pmWeb