3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
ToddyCat

ToddyCat

ID: 4efdbedc4258546a01f44fb762b1b32490944
Cybercrime Cyber Espionage Cybercriminal Malware Dev
Threat types: Intrusion, Cyber Espionage
Unknown TWN, VNM
Updated: 2026-01-13
Created: 2025-10-22
Progress: 51% Completeness: 52% Freshness: 50%
Operation zone: Taiwan, Vietnam
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

ToddyCat (G1022) — espionage actor active since 2020 that compromised Microsoft Exchange servers to stage a multistage chain using China Chopper web shells, a .NET Samurai backdoor with HTTPListener C2, and a Ninja post-exploitation toolkit enabling proxy-based pivoting and large-scale data theft across government/military/telecom targets in Asia and Europe.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2020-12 to 2021-03 — Initial Exchange exploitation (unknown exploit, then ProxyLogon escalation) as entry to deploy web shell and loaders. · ref
T1505.003 Web Shell TA0003
  • 2020-12 — China Chopper web shell used on compromised Exchange servers to bootstrap multistage infection. · ref
T1105 Ingress Tool Transfer TA0011
  • 2020-12 to 2022-06 — Custom droppers/loaders install Samurai backdoor and modules; later waves also deliver loaders to desktops. · ref
T1059.003 Windows Command Shell TA0002
  • 2022-06-21 — Samurai modules invoke cmd.exe for tasking (e.g., remote command module). · ref
T1090 Proxy TA0011
  • 2022-06-21 — Samurai/Ninja provide internal proxying to pivot to internal services/ports and limit direct C2. · ref
T1071.001 Web Protocols TA0011
  • 2022-06-21 — Samurai uses .NET HTTPListener to process crafted HTTP/HTTPS POST requests with encrypted tasks. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2022-06-21 — Samurai supports file enumeration and exfiltration over the established web C2 channel. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T22:31:27+00:00
ToddyCat — Multistage Espionage Targeting Exchange & Government Networks

CLASSIFICATION: Unclassified / Open Source


Executive Summary

ToddyCat is a sophisticated espionage actor active since late 2020, targeting government, military, and telecommunications entities across Asia and Europe. The group’s hallmark is a multistage chain that initially compromised Microsoft Exchange servers (first with an unknown exploit, then rapidly via ProxyLogon), deploying the China Chopper web shell and staging a custom Samurai backdoor and Ninja post-exploitation toolkit. Samurai uses .NET HTTPListener to receive crafted POSTs containing encrypted C# snippets compiled at runtime; Ninja enables collaborative, deep post-exploitation (pivoting, lateral control, and traffic camouflage). Campaigns and tooling were first documented in depth by Kaspersky (2022) and later updates; MITRE formalized the cluster as G1022 in 2024. Capability: medium-high; OPSEC: mature; Confidence: high (multi-source).


Public sources do not firmly attribute ToddyCat to a specific state; vendors describe it as a previously unknown APT with bespoke tooling and sustained focus on state-linked targets. INFERENCE: targeting and cadence are consistent with state-aligned intelligence collection (confidence: medium).

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.