ToddyCat Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (43)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en28
zh10
sv2
de2
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn26
us14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

ToddyCat5
Cobalt Strike3
DarkCrystalRAT1
TeslaCrypt1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined12
Programming Language Software8
Router Operating System4
Content Management System4
Knowledge Base Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined18
ZyXEL2
SAP2
D-Link2
F52

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

PHP6
Ratpack2
ZyXEL P660HN-T v12
SAP Knowledge Management2
D-Link DIR-816L2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009431.06CVE-2010-0966
2Watchguard Firebox/XTM Remote Code Execution6.36.0$0-$5k$0-$5kHighOfficial Fix0.841700.00CVE-2022-26318
3WordPress Password Reset wp-login.php mail password recovery6.15.8$5k-$25k$0-$5kProof-of-ConceptNot Defined0.028270.05CVE-2017-8295
4request-baskets API Request {name} server-side request forgery6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.081090.00CVE-2023-27163
5bassmaster plugin batch.js internalsbatch code injection9.89.4$0-$5k$0-$5kHighOfficial Fix0.879940.05CVE-2014-7205
6QNAP QTS/QuTS Hero/QVP/QVR os command injection6.76.6$0-$5k$0-$5kNot DefinedOfficial Fix0.001150.00CVE-2023-23355
7Google Android Settings.java getStringsForPrefix Local Privilege Escalation6.56.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2023-20919
8Linux Kernel rcar_drif.c rcar_drif_g_fmt_sdr_cap Memory information disclosure4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000470.02CVE-2019-18786
9Page Engine CMS login_include.php privileges management5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000000.00
10D-Link DIR-816L/DIR-803 URL Encoding info.php cross site scripting5.25.2$5k-$25k$0-$5kNot DefinedUnavailable0.001110.00CVE-2020-25786
11Discuz! DiscuzX Access Restriction index.php access control8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.003030.02CVE-2018-5377
12Ratpack deserialization6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.002340.00CVE-2021-29485
13Spring Framework Multipart Request privileges management5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000460.00CVE-2021-22118
14F5 BIG-IP Advanced WAF Appliance Mode Restrictions integrity check7.97.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.000650.04CVE-2022-25946
15Progress MOVEit Transfer sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.001310.00CVE-2021-38159
16PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.003740.21CVE-2007-0529
17Kingsoft WPS Office Registry wpsupdater.exe access control5.55.3$0-$5k$0-$5kNot DefinedNot Defined0.009240.02CVE-2022-24934
18Smartisoft phpBazar classified_right.php file inclusion6.56.2$0-$5k$0-$5kProof-of-ConceptUnavailable0.009330.05CVE-2006-2528
19ZyXEL P660HN-T v1 ViewLog.asp command injection7.36.4$5k-$25k$0-$5kProof-of-ConceptWorkaround0.000000.04
20Cisco ASA/Firepower Threat Defense Web Services Interface out-of-bounds write6.96.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.001950.00CVE-2021-34704

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Ninja

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.76.78.23745.76.78.237.vultrusercontent.comToddyCat07/31/2022verifiedHigh
2XXX.XX.XXX.XXxxx-xx-xxx-xx.xxxxxx.xxxxxxx-xxx.xxxXxxxxxxx04/29/2024verifiedHigh
3XXX.XXX.XX.XXXxxxxxxx04/29/2024verifiedHigh
4XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxxxx07/31/2022verifiedHigh
5XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxXxxxx06/28/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-50CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (32)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/api/baskets/{name}predictiveHigh
2Filearchiver\index.phppredictiveHigh
3Fileawstats.plpredictiveMedium
4Fileclassified_right.phppredictiveHigh
5Filexxxxxxx/xxxxx/xxxxxxxx/xxxx_xxxx.xpredictiveHigh
6Filexxx/xxxx/xxxx.xpredictiveHigh
7Filexxx/xxxxxx.xxxpredictiveHigh
8Filexxxxxxxx/xxxxxxx/xxxxx_xxxxxxx.xxxpredictiveHigh
9Filexxxxx.xxxxpredictiveMedium
10Filexxxx.xxxpredictiveMedium
11Filexxxx/xxxxxxxxx.xxxpredictiveHigh
12Filexxxxxxxx.xpredictiveMedium
13Filexxxxxxxx.xxxxpredictiveHigh
14Filexxxx-xxxxxxx-xxxxxx.xxxpredictiveHigh
15Filexxxxxxx.xxxpredictiveMedium
16Filexxxx.xxxpredictiveMedium
17Filexxxxxx/xx/xxxx.xxxpredictiveHigh
18Filexx-xxxxx.xxxpredictiveMedium
19Filexxxxxxxxxx.xxxpredictiveHigh
20File~/xxx/xxxx-xxxxxxxxx.xxxpredictiveHigh
21Libraryxxx/xxxxxx/xxxxxxxxx/xxxxxx.xpredictiveHigh
22Libraryxxx/xxxxx.xxpredictiveMedium
23Argument$_xxxxxpredictiveLow
24ArgumentxxxxxxpredictiveLow
25ArgumentxxxxxxxxpredictiveMedium
26ArgumentxxxxxxpredictiveLow
27ArgumentxxxxxxxpredictiveLow
28ArgumentxxxxpredictiveLow
29ArgumentxxpredictiveLow
30Argumentxxxxxxxx_xxxpredictiveMedium
31Argumentxxxxxx_xxxxpredictiveMedium
32Input Value%xxxxxx+-x+x+xx.x.xx.xxx%xx%xxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!