A sophisticated cyber espionage group known as ToddyCat has been identified as a persistent and evolving threat to organizations worldwide, exploiting vulnerabilities in Microsoft Exchange servers to gain long-term access to enterprise networks. Security researchers say the group leveraged the infamous ProxyLogon vulnerability to compromise high-value targets across Europe and Asia, marking a significant escalation in its operational reach.
ToddyCat first surfaced in late 2020, when it targeted Microsoft Exchange servers in Taiwan and Vietnam using an unidentified vulnerability. However, its activity intensified sharply in February 2021, after it began exploiting ProxyLogon — a critical flaw that allowed attackers to execute remote commands on vulnerable Exchange servers. This shift enabled the group to expand beyond regional targets and operate at a global scale.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Multi-stage attacks using diverse malware tools
Investigations indicate that ToddyCat relies on a layered attack strategy designed to establish a durable foothold while avoiding detection. Initial access is typically achieved through compromised Exchange servers, followed by the deployment of multiple malware components.
These include web shells such as China Chopper, which provide attackers with remote command execution capabilities, and custom backdoors like Samurai, used to maintain persistent access. By September 2021, the group expanded its operations to desktop systems in Central Asia, distributing Ninja Trojan loaders through messaging platforms to infect additional endpoints.
More recently, in 2024, ToddyCat introduced advanced tools such as TCESB, capable of exploiting vulnerabilities in security software itself. Analysts note that this evolution reflects a deliberate effort to bypass defensive technologies and sustain long-term espionage operations within compromised environments.
Persistence through Windows abuse techniques
The group’s persistence mechanisms demonstrate a deep understanding of Windows internals. ToddyCat has been observed using scheduled tasks to automatically execute data collection tools, ensuring continued access even after system reboots.
PowerShell is frequently abused with execution policy bypasses to run malicious scripts stored in trusted system directories. One commonly observed technique involves invoking scripts with execution bypass flags, allowing them to run uninterrupted despite security controls.
To evade defenses, the attackers employ the “Bring Your Own Vulnerable Driver” technique, installing known vulnerable drivers to manipulate kernel-level structures. This approach enables stealthy privilege escalation and disables security monitoring at a fundamental level.
Another key tactic involves DLL side-loading, where malicious libraries are disguised as legitimate files and loaded by trusted applications. This allows malicious payloads to execute under the cover of legitimate processes, significantly reducing the likelihood of detection.
Credential theft and cloud access
Credential harvesting remains central to ToddyCat’s operations. The group systematically extracts saved credentials from popular web browsers, including Chrome, Firefox and Edge, by dumping browser memory and accessing authentication databases.
In addition to local credentials, ToddyCat targets cloud environments by harvesting OAuth tokens from Microsoft 365 applications. This grants attackers access to email accounts, cloud storage and other enterprise services, extending the impact beyond on-premise systems.
Collected data is compressed using encryption tools before being transmitted to command-and-control servers, ensuring both confidentiality and operational security during exfiltration.
A growing threat to enterprise security
Security analysts warn that ToddyCat represents a serious risk to organizations running unpatched Microsoft Exchange servers and hybrid cloud environments. Its ability to adapt tools, exploit trusted components and maintain persistence over long periods places it among the more advanced cyber espionage actors currently active.
The campaign highlights the continued exploitation of legacy vulnerabilities long after patches have been released, underscoring the importance of timely updates, strict access controls and continuous monitoring.
As enterprises increasingly rely on cloud-integrated infrastructure, the ToddyCat operation serves as a reminder that email servers remain a high-value target — and that advanced threat actors are willing to invest years refining techniques to stay hidden inside corporate networks.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
