ToddyCat Malware Exploits ProxyLogon Compromises Microsoft

ToddyCat, a sophisticated cyber espionage group, has emerged as a persistent threat, targeting high-profile organizations across multiple continents.

The group began operations in December 2020 by compromising Microsoft Exchange servers in Taiwan and Vietnam using an unidentified vulnerability.

However, their capabilities expanded significantly in February 2021 when they began exploiting the ProxyLogon vulnerability to target organizations across Europe and Asia.

This shift marked a turning point in their operations, allowing them to move beyond regional targets to a global scope. The group’s attack infrastructure demonstrates remarkable versatility and technical sophistication.

Their operations involve deploying multiple malware variants including China Chopper web shells and the Samurai backdoor, enabling them to establish initial footholds on compromised systems.

By September 2021, ToddyCat expanded its reach to desktop systems in Central Asia, distributing Ninja Trojan loaders via Telegram.

More recently, in 2024, the group introduced complex tools like TCESB designed to exploit vulnerabilities in security products, showing their continuous evolution.

Picus Security analysts identified the group’s sophisticated approach to maintaining persistent access and conducting surveillance on target environments.

The threat actors combine multiple execution methods to avoid detection and maintain operational security throughout their campaigns.

Credential Harvesting and Defense Evasion Mechanisms

ToddyCat’s persistence tactics reveal a deep understanding of Windows security architecture.

The group employs scheduled tasks to execute data collection tools automatically, running PowerShell commands with bypass flags to circumvent execution policies.

A critical example shows their use of the command: powershell -exec bypass -command c445.ps1, which allows malicious scripts stored in ProgramData directories to execute continuously.

Their defense evasion techniques are particularly notable. The group utilizes the Bring Your Own Vulnerable Driver technique by installing the vulnerable DBUtilDrv2.sys driver to modify kernel structures.

Additionally, they employ DLL side-loading strategies where malicious versions of legitimate libraries redirect function calls while executing hidden payloads. This approach exploits how Windows loads libraries, allowing malicious code to run within trusted processes.

For credential access, ToddyCat dumps browser memory to extract saved passwords from Chrome, Firefox, and Edge browsers.

They specifically target files like Login Data and logins.json, using PowerShell scripts to systematically collect authentication credentials.

The group also harvests OAuth tokens from Microsoft 365 applications, giving them access to cloud resources.

Once data collection completes, they compress everything using WinRAR with encryption, sending collected materials through command and control channels.

This multifaceted approach demonstrates why ToddyCat represents a significant threat to enterprise security infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.