Asian telecoms in the eye of the storm for ToddyCat hackers

10 November, 2023 | Miscelanea

A campaign known as “Stayin’ Alive” has been actively targeting government organizations and telecommunication service providers across Asia since 2021.

Aim of the attack

Employing a diverse array of “disposable” malware to evade detection, the campaign primarily focuses on entities in Kazakhstan, Uzbekistan, Pakistan, and Vietnam, with Check Point, a cybersecurity firm, tracking these activities.

Check Point researchers have noted the use of various custom tools by threat actors in this campaign. These tools are designed to be easily discarded, making it challenging to associate attacks with one another or with known toolsets.

Mode of operation

The attack initiates through spear-phishing emails tailored for specific individuals within key organizations. The emails prompt recipients to open a ZIP file, containing a digitally signed executable file matching the email context and a malicious DLL. This DLL introduces the “CurKeep” malware into the system. CurKeep, a 10kb backdoor, establishes persistence, relays system information to a command-and-control (C2) server, and awaits further instructions.

Beyond CurKeep, the campaign deploys additional tools like CurLu, CurCore, and CurLog loaders, each with distinct functionalities and infection mechanisms. CurCore stands out as it can create files, execute remote commands, and manipulate data.

Another distinct backdoor, ‘StylerServ,’ functions as a passive listener monitoring specific ports for encrypted configuration files. Its exact purpose remains undisclosed but is presumed to serve as a configuration mechanism for other malware components.

The campaign tailors these tools to specific regional targets, utilizing various samples and variants. These identified tools may represent only a segment of a more extensive campaign involving undiscovered tools and attack methods.

Despite the diversity and customization of these tools, they all allegedly connect to the same infrastructure, previously linked to ToddyCat, a group of Chinese cyber spies.

One of the notable malware discovered is ‘Ninja Agent’, equipped with file management and reverse shell capabilities.

ToddyCat also deployed other tools like LoFiSe, Cobalt Strike, DropBox Uploader, and a passive UDP backdoor in these attacks, indicating the breadth and complexity of their operations.

Prevention is a crucial factor

RELIANOID offers cutting-edge solutions designed to preempt and mitigate sophisticated cyber threats like the “Stayin’ Alive” campaign observed across Asia. Leveraging advanced threat intelligence and adaptive security measures, RELIANOID’s platform detects and thwarts diverse, disposable malware used in these attacks by analyzing content inspection and preventing executable files being downloaded. By employing proactive monitoring, behavioral analysis, and customizable security protocols, RELIANOID effectively fortifies networks and systems against such evolving cyber intrusions. Download enterprise ready load balancer and enjoy the Site Reliability Experience.

SHARE ON:

Related Blogs

Posted by reluser | 08 July 2025
The rapid growth of global businesses has led to an increasing demand for scalable, reliable, and high-performance IT infrastructures. Companies with a worldwide presence need to ensure their websites and…
27 LikesComments Off on Global Server Load Balancer: Ensuring High Availability and Optimal Performance
Posted by reluser | 04 July 2025
In today's interconnected industrial environments, ensuring security has become a paramount concern. The convergence of IT and OT (Operational Technology) in industries such as manufacturing, energy, and logistics has brought…
46 LikesComments Off on The Importance of Industrial Zero-Trust Micro-Segmentation
Posted by reluser | 26 June 2025
Understanding SIEM: A Cornerstone of Cybersecurity Security Information and Event Management (SIEM) is a critical technology in modern cybersecurity, enabling organizations to collect, analyze, and respond to security events in…
78 LikesComments Off on The Role of SIEM in Modern Cybersecurity