ToddyCat APT is targeting Microsoft Exchange servers for organizations across Asia and Europe, at least since December 2020.

ToddyCat attacks

From February 2021, the ToddyCat APT group escalated its attacks and is scanning for unpatched Microsoft Exchange servers with ProxyLogon exploits to carry out attacks.
  • While tracking the group's activity, a passive backdoor named Samurai and a new Ninja trojan has been discovered. Both the malware take control of infected systems and move laterally within the networks.
  • Some of the organizations the group breached in three different countries were hacked around the same time by other Chinese-backed hackers employing the FunnyDream backdoor.

The targeted victims are high-profile organizations belonging to government and military sectors. The group seems to be focused on achieving critical goals aligned with geopolitical interests.

Multiple waves of attacks

The first wave of the attacks started in December 2020 and stopped in February 2021. At that time, the group was only targeting a small number of government organizations in Vietnam and Taiwan.
  • The next wave of attacks, observed between February and May, 2021, started targeting organizations from a long list of countries, including Iran, Russia, India, and the U.K.
  • In the next phase, which lasted until February 2022, the group targeted the same cluster of countries, along with more organizations from Uzbekistan, Kyrgyzstan, and Indonesia.


ToddyCat group displayed its interest in governmental and military sectors and is anticipated to continue with its operations. Organizations are suggested to make use of threat intelligence services to stay abreast of new threats and secure their networks. Further, make use of provided IOCs for better detection of threats.
Cyware Publisher