September 30, 2023

An APT group dubbed ToddyCat has been focusing on Microsoft Trade servers all through Asia and Europe for greater than a year, since not less than December 2020.

Researchers also discovered unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan.

Each malware strains permit the attackers to take management of contaminated techniques and transfer laterally throughout the victims’ networks.


ToddyCat’s assaults have additionally been noticed exploiting the ProxyLogon Trade flaws that allowed them to realize distant code execution on weak servers to deploy China Chopper net shells.

Initially not aggressive, they escalated their assaults after beginning to scan for and goal unpatched Microsoft Trade servers throughout Europe and Asia with ProxyLogon exploits.

Infection Chain

  1. Dropper
  2. Dll loader
  3. .Net Loader
  4. Samurai backdoor / Ninja trojan

The primary assaults wave of assaults (between December 2020 and February 2021) solely focused a small variety of authorities organizations in Vietnam and Taiwan, the subsequent wave (between February 2021 and Could 2021) shortly expanded to entities from an extended record of nations worldwide, together with Russia, India, Iran, and the UK.

ToddyCat focused the identical cluster of nations but additionally added organizations from Indonesia, Uzbekistan, and Kyrgyzstan to the record. On this third wave of assaults, the APT group additionally expanded their focus to incorporate desktop techniques, whereas earlier than, they had been solely focusing on Microsoft Trade servers.

Researchers says ToddyCat’s victims are linked to trade sectors and nations additionally focused by several Chinese language-speaking teams.

The other entities they breached had been additionally hacked across the identical time by Chinese language-backed hackers utilizing the FunnyDream backdoor.


Furthermore, regardless of the occasional proximity in staging places, now we have no concrete proof of the 2 malware households immediately interacting and the precise directories are incessantly utilized by several attackers.

This research was conducted and documented by Kaspersky

Indicators of compromise

  • 5cfdb7340316abc5586448842c52aabc
  • 93c186c33e4bbe2abdcc6dfea86fbbff
  • 5a912beec77d465fc2a27f0ce9b4052b
  • f595edf293af9b5b83c5ffc2e4c0f14b
  • 5a531f237b8723396bcfd7c24885177f
  • 1ad6dccb520893b3831a9cfe94786b82
  • f595edf293af9b5b83c5ffc2e4c0f14b
  • 8a00d23192c4441c3ee3e56acebf64b0
  • 5e721804f556e20bf9ddeec41ccf915d
  • 33694faf25f95b4c7e81d52d82e27e7b
  • 832bb747262fed7bd45d88f28775bca6
  • 8fb70ba9b7e5038710b258976ea97c98
  • ee881e0e8b496bb62ed0b699f63ce7a6
  • ae5d2cef136ac1994b63c7f8d95c9c84
  • 5c3bf5d7c3a113ee495e967f236ab614
  • bde2073dea3a0f447eeb072c7e568ee7
  • 350313b5e1683429c9ffcbc0f7aebf3b

Ninja C2

  • 149.28.28[.]159
  • eohsdnsaaojrhnqo.windowshost[.]us

File paths

  • C:\inetpub\temp\debug.exe
  • C:\Windows\Temp\debug.exe
  • C:\Windows\Temp\debug.xml
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\web.exe
  • C:\Users\Public\Downloads\dw.exe
  • C:\Users\Public\Downloads\chrome.log
  • C:\Windows\System32\chr.exe
  • C:\googleup.exe
  • C:\ProgramFiles\microsoft\exchangeserver\v15\frontend\httpproxy\owa\auth\googleup.log
  • C:\google.exe
  • C:\Users\Public\Downloads\x64.exe
  • C:\Users\Public\Downloads\1.dll
  • C:\Program Files\Common Files\microsoft shared\WMI\iiswmi.dll
  • C:\Program Files\Common Files\microsoft shared\Triedit\Triedit.dll
  • C:\Program Files\Common Files\System\websvc.dll
  • C:\Windows\Microsoft.NET\Framework\sbs_clrhost.dll
  • C:\Windows\Microsoft.NET\Framework\sbs_clrhost.dat
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\web.xml
  • C:\Users\Public\Downloads\debug.xml
  • C:\Users\Public\Downloads\cache.dat
  • C:\Windows\System32\config\index.dat
  • C:\Windows\Microsoft.NET\Framework\netfx.dat
  • %ProgramData%\adobe\2.dll
  • %ProgramData%\adobe\acrobat.exe
  • %ProgramData%\git\git.exe
  • %ProgramData%\intel\mstacx.dll
  • %ProgramData%\microsoft\drm\svchost.dll
  • %ProgramData%\microsoft\mf\svchost.dll
  • %ProgramData%\microsoft\mf\svhost.dll
  • %program files%\Common Files\services\System.Core.dll
  • %public%\Downloads\1.dll
  • %public%\Downloads\config.dll
  • %system%\Triedit.dll
  • %userprofile%\Downloads\Telegram Desktop\03.09.2021 г.zip
  • %userprofile%\Downloads\Telegram Desktop\Тех.Инструкции.zip
  • %userprofile%\libraries\1.dll
  • %userprofile%\libraries\chrome.exe
  • %userprofile%\libraries\chrome.log
  • %userprofile%\libraries\config.dll
  • C:\intel\2.dll
  • C:\intel\86.dll
  • C:\intel\x86.dll

Registry Keys

  • $HKLM\System\ControlSet\Services\WebUpdate
  • $HKLM\System\ControlSet\Services\PowerService
  • $HKLM\SOFTWARE\Classes\Interface\{6FD0637B-85C6-D3A9-CCE9-65A3F73ADED9}
  • $HKLM\SOFTWARE\Classes\Interface\{AFDB6869-CAFA-25D2-C0E0-09B80690F21D}

Leave a Reply

%d bloggers like this: