Understanding ToddyCat APT


Published on Apr 22, 2024   —   2 min read

ToddyCat is an Advanced Persistent Threat (APT) group that has been active since at least December 2020. Known for its sophisticated cyber-espionage activities, ToddyCat primarily targets government and military entities across Europe and Asia. Let's delve into a detailed exploration of ToddyCat, examining their operational tactics, profiling their typical targets, and unpacking the historical context of their cyber-espionage activities.

Operational Tactics

ToddyCat employs a range of sophisticated techniques to infiltrate and persist within target networks. Key tactics include:

  • Exploitation of Vulnerabilities: ToddyCat has been observed exploiting critical vulnerabilities in Microsoft Exchange servers to gain initial access to target networks. Notable among these is the ProxyLogon vulnerability.
  • Use of Malware: The group utilizes custom malware tools, including the Samurai backdoor and Ninja Trojan, to maintain presence and control over compromised systems.
  • Evasion Techniques: ToddyCat is adept at avoiding detection through the use of advanced evasion techniques that obscure their malware’s presence and activities from cybersecurity defenses.

Target Profile

ToddyCat's targeting scope is broad yet focused primarily on high-value targets that can provide strategic intelligence. Key target sectors include:

  • Government Agencies: Especially those related to foreign affairs, defense, and security.
  • Military Institutions: Including operational and strategic units that hold sensitive information relevant to national security.
  • Geographical Focus: While initially targeting Taiwan and Vietnam, ToddyCat has expanded its operations to include a variety of countries such as Afghanistan, India, Indonesia, Iran, and several others in Europe and Central Asia.

Historical Context

ToddyCat’s activities can be traced back to late 2020, with significant campaigns identified throughout 2021. The group's persistence and the evolution of their tactics indicate a well-resourced and strategically driven entity likely backed by a nation-state. This is consistent with the broader trends of Chinese-speaking APT groups engaging in sustained cyber espionage campaigns against geopolitical rivals and entities of strategic interest.


To defend against threats like ToddyCat, organizations, especially those within the targeted sectors, should adopt a multi-layered approach to cybersecurity:

  • Vulnerability Management: Regularly update and patch systems to mitigate the risk of exploitation through known vulnerabilities.
  • Endpoint Detection and Response (EDR): Deploy advanced EDR solutions to detect, investigate, and respond to threats at the endpoint level.
  • Awareness Training: Conduct regular security awareness training to help employees recognize and respond to social engineering attacks.
  • Network Defense: Implement robust network defense mechanisms to detect and mitigate advanced threats early in the attack cycle.


ToddyCat represents a significant threat to national security for countries and entities within its target scope. Understanding their tactics, techniques, and procedures (TTPs) is crucial for developing effective defenses against their operations. As the cyber threat landscape continues to evolve, staying informed and prepared is the best defense against sophisticated APT groups like ToddyCat.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.