According to Avertium, they’ve been active since December 2020, targeting high-profile organizations, especially via Microsoft Exchange. (avertium.com)
Their tactics include using a backdoor “Samurai” and also a tool called Ninja, which allows multi-user control of compromised machines. (avertium.com)
Email Data Theft
According to Kaspersky / Securelist, ToddyCat has developed a method to access corporate Outlook email data. (Securelist)
They use a custom tool called TCSectorCopy to copy OST (offline Outlook) files, even when Outlook is running, by reading disk sectors directly. (Securelist)
Another tool, TomBerBil, is used to extract browser cookies, saved passwords, and OAuth tokens to gain persistent, stealthy access. (Securelist)
Motivation & Attribution
According to threat‑intelligence profiling, ToddyCat’s activities appear espionage‑oriented, possibly state-linked. (malwarepatrol.net)
Their infrastructure is sophisticated, with customized malware and command & control (C2) setups. (malwarepatrol.net)
Why the “Invisible Email Assistant” Description Is Problematic / False
There is no legitimate productivity or email-management app called “ToddyCat” in any major app store, vendor site, or productivity‑tool list.
All credible references to ToddyCat are in cybersecurity / threat intelligence contexts, describing it as a hacker group, not a software tool. (avertium.com)
The malware‑news article calling it a “hidden email assistant” is misleading: it’s not an assistant for you — it’s malware that steals your emails. (Malware Analysis, News and Indicators)
Using or installing anything under that name would likely be harmful — you could be dealing with a real threat, not a productivity booster.
Key Security Implications & Lessons
Phishing & Impersonation Risk
Someone may be misusing the ToddyCat name to trick people into installing malware, masquerading as a “helper” tool.
If you ever see a “ToddyCat” tool or extension claiming to be an email assistant, treat it with high suspicion.
Good Cyber Hygiene
Use strong, unique passwords and enable multi-factor authentication (MFA) for your email accounts.
Keep your software (especially email clients) up to date, because APTs like ToddyCat exploit known vulnerabilities (e.g., in Exchange). (avertium.com)
Use endpoint protection / antivirus solutions to detect advanced threat actors.
Be Skeptical of Typos / Fake Tools
Many malicious actors clone names of legitimate tools or invent “helper tools” to trick users. Always verify the publisher, check reviews, and cross-check with trusted sources.
Enterprise Email Protection
If you’re in a company, educate your IT / security team about APT risks.
Make sure sensitive email content (especially for business) is backed up and encrypted where possible.
Bottom Line
ToddyCat is not a “smart email assistant” — it’s a cyber-espionage threat actor.
If you heard about “ToddyCat” as a productivity tool, it’s likely a scam or misunderstanding.
Treat any software or extension that claims to be “ToddyCat” very carefully — it may be malicious.
Good question. There’s no real “ToddyCat: Your Invisible Assistant for Smarter Email Management” — the name ToddyCat actually refers to a threat actor / cyberespionage group (APT), not a productivity tool. Below are detailed case studies of what ToddyCat really is, how it operates, and expert commentary.
Case Studies: What ToddyCat Actually Does
Exchange Server Attacks (Samurai & Ninja)
Initial Compromise: ToddyCat first made headlines by targeting Microsoft Exchange servers, exploiting vulnerabilities (like ProxyLogon) to deploy a backdoor called Samurai. (Kaspersky)
Post‑Exploitation: After gaining access, they use a sophisticated Trojan called Ninja, which supports process control, code injection, and network tunneling — enabling stealthy, long-term access. (thecyberpost.com)
Email Stealing via Outlook OST Files
TCSectorCopy Tool: ToddyCat uses a custom tool called TCSectorCopy to directly read and copy locked Outlook .ost files (offline storage). (Malware Analysis, News and Indicators)
Exporting Email: Once copied, these OST files are processed with XstReader, a tool that exports email content (including attachments) into readable formats. (Malware Analysis, News and Indicators)
Browser Credential & Token Theft
TomBerBil: This malware family is used to extract browser cookies, saved passwords, and other authentication tokens from user machines. (Securelist)
OAuth Token Acquisition: In some cases, ToddyCat gains OAuth 2.0 tokens from a user’s browser session — allowing them to access corporate email accounts outside of their compromised network. (Securelist)
PowerShell Variant: A newer PowerShell version of TomBerBil has been observed, which runs on privileged accounts and copies encryption keys for stored browser data. (Malware Analysis, News and Indicators)
Data Exfiltration Infrastructure
ToddyCat uses multiple secure tunnels for exfiltration and persistence: reverse SSH, SoftEther VPN, Ngrok, and even a fast Golang reverse proxy (FRP). (Dark Reading)
Cuthead: A .NET tool used to search for files by name or extension across the compromised network, archive them, and prepare them for exfiltration. (Dark Reading)
WAExp: A module that targets WhatsApp Web data (from browsers), enabling the attackers to collect chat data, session info, and more. (Dark Reading)
Espionage Scale
According to threat intelligence firm Cyfirma, ToddyCat is running a campaign named “Stayin’ Alive”, using “disposable” malware to evade detection. (CYFIRMA)
Their targets are strategic: government ministries, telecoms, high‑profile companies, especially in Asia, indicating espionage motivations. (CYFIRMA)
Expert Commentary & Reactions
Kaspersky (security firm): Describes ToddyCat as “sophisticated” and stealthy, employing modular malware and advanced backdoor tools. (usa.kaspersky.com)
Computing.co.uk: Reports that ToddyCat is capable of “industrial-scale” data theft, stealing large volumes of sensitive data from target organizations. (computing.co.uk)
SC Media: Notes that the group’s “tool arsenal is very advanced” — they use multiple parallel channels and sophisticated C2 infrastructure to avoid detection. (SC Media)
HivePro Threat Advisory: Warns that ToddyCat now exploits even security software (e.g., DLL-hijacking in ESET) to maintain persistence. (Hive Pro)
Securelist (Kaspersky): Provides deep technical analysis of how new versions of TomBerBil and TCSectorCopy help ToddyCat steal Outlook email data. (Securelist)
Strategic Implications (Why This Matters)
Not a Benign Assistant: The “invisible assistant” framing is dangerous misdirection — in reality, ToddyCat is a cyberespionage group, not a productivity tool.
Email Infrastructure Risk: Organizations using Microsoft Exchange or Outlook are particularly at risk, because ToddyCat actively targets and extracts mailbox data.
Tracking & Detection Challenges: ToddyCat’s use of multiple communication channels (VPN, SSH, reverse proxy) makes detection difficult. Defenders must monitor for unusual disk access (e.g., .ost files) and browser token theft.
Long-Term Access: Their toolkit is built for persistent access, not just one-off attacks — meaning even if a single entry point is closed, they may maintain access via other channels.
Industrial-Scale Theft: This isn’t “hack-and-leak for attention”; it’s methodical, large-scale espionage, likely with geopolitical motives.
Bottom Line
If you see or hear anything claiming that ToddyCat is an email productivity “assistant”, it’s almost certainly incorrect — or deliberately misleading.
Actual ToddyCat activity is a serious threat: cyberespionage, data exfiltration, and persistent access to corporate email.
Protecting against ToddyCat requires strong threat intelligence, endpoint detection, and monitoring of email storage and browser sessions.
