Threat Actor Profile
High APT
Description

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)

Confidence Score
90%
Known Aliases
ToddyCat
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (25)
T1005 - Data from Local System
Collection
T1074.002 - Remote Data Staging
Collection
T1560.001 - Archive via Utility
Collection
T1095 - Non-Application Layer Protocol
Command and Control
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1564.003 - Hidden Window
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1069.002 - Domain Groups
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1518.001 - Security Software Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1106 - Native API
Execution
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1190 - Exploit Public-Facing Application
Initial Access
T1566.003 - Spearphishing via Service
Initial Access
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['ToddyCat'],
 'created': '2024-01-03T21:34:10.988Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[ToddyCat](https://attack.mitre.org/groups/G1022) is a '
                'sophisticated threat group that has been active since at '
                'least 2020 using custom loaders and malware in multi-stage '
                'infection chains against government and military targets '
                'across Europe and Asia.(Citation: Kaspersky ToddyCat June '
                '2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)',
 'external_references': [{'external_id': 'G1022',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1022'},
                         {'description': 'Dedola, G. (2022, June 21). APT '
                                         'ToddyCat. Retrieved January 3, 2024.',
                          'source_name': 'Kaspersky ToddyCat June 2022',
                          'url': 'https://securelist.com/toddycat/106799/'},
                         {'description': 'Dedola, G. et al. (2023, October '
                                         '12). ToddyCat: Keep calm and check '
                                         'logs. Retrieved January 3, 2024.',
                          'source_name': 'Kaspersky ToddyCat Check Logs '
                                         'October 2023',
                          'url': 'https://securelist.com/toddycat-keep-calm-and-check-logs/110696/'}],
 'id': 'intrusion-set--b516b235-fc7d-4635-aca5-3d33312339c3',
 'modified': '2024-02-14T20:35:53.080Z',
 'name': 'ToddyCat',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (25)
Data from Local System
Collection
Remote Data Staging
Collection
Archive via Utility
Collection
Non-Application Layer Protocol
Command and Control
Match Legitimate Resource Nam…
Defense Evasion
View All 25 TTPs
Back to Threat Actors
Dashboard Home