Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ ToddyCat

🌐ToddyCat

🌐 ToddyCat is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 25 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1022) ↗
14Use cases
0Articles
25Techniques
0IOCs

About this actor (MITRE)

[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)

Known aliases

ToddyCat

Top techniques

T1005 · Data from Local SystemT1018 · Remote System DiscoveryT1021.002 · SMB/Windows Admin Shares

All other tracked techniques

T1036.005 · Match Legitimate Resource Name or LocationT1047 · Windows Management InstrumentationT1049 · System Network Connections DiscoveryT1053.005 · Scheduled TaskT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1069.002 · Domain GroupsT1074.002 · Remote Data StagingT1078.002 · Domain AccountsT1083 · File and Directory DiscoveryT1087.002 · Domain AccountT1095 · Non-Application Layer ProtocolT1106 · Native APIT1190 · Exploit Public-Facing ApplicationT1518.001 · Security Software DiscoveryT1560.001 · Archive via UtilityT1564.003 · Hidden WindowT1566.003 · Spearphishing via ServiceT1567.002 · Exfiltration to Cloud StorageT1680 · Local Storage DiscoveryT1686 · Disable or Modify System Firewall

Detection use cases (14)

ToddyCat (G1022) Exchange/IIS post-exploitation: w3wp.exe → cmd/PowerShell → scheduled task AI · profile SΣ ToddyCat (G1022) staged-archive exfiltration via xcopy/7z to cloud (Mega/OneDrive/Dropbox) AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Authentication not detected on admin API endpoint MITRE match AWS S3 bucket ACL / policy made public MITRE match Crypto-wallet file/keystore access by non-wallet process MITRE match Excessive resource consumption of third-party API MITRE match Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) MITRE match JWT authentication bypass attempt MITRE match