The ToddyCat group [1] [2], an advanced persistent threat (APT) based in China, has been actively targeting telecommunications organizations in Central and Southeast Asia since at least 2020 [3]. This APT group has been linked to Chinese espionage operations [1] [2] [3].


In their latest campaign [1] [2] [3], known as “Stayin’ Alive,” the ToddyCat group has focused on targeting telcos in Kazakhstan, Pakistan [1] [2] [3], Uzbekistan [1] [2] [3], and Vietnam [1] [2] [3]. Their attack strategy begins with spear phishing emails that contain archive files [1], exploiting a DLL sideloading vulnerability [1]. The group utilizes simple backdoors and loaders, which may have basic functionality but are effective in achieving their initial goals [1], such as gathering information about infected machines [3].

To make it challenging for researchers to track their activities, ToddyCat constantly discards and replaces their malware samples [1]. Each sample of their malware is unique and does not resemble any known malware families [3]. However, their command-and-control infrastructure is easily identifiable [1] [3].

The full extent of the damage caused by ToddyCat is still unknown [2]. It is crucial to implement a layered approach to defend against this APT group. This includes implementing proper email protection and utilizing endpoint detection and response (EDR) endpoints [1].


The ToddyCat group’s activities have significant implications for the targeted telecommunications organizations in Central and Southeast Asia. It is essential for these organizations to take proactive measures to protect themselves against this APT group. Implementing a layered defense approach, including robust email protection and EDR endpoints [1] [3], can help mitigate the risk posed by ToddyCat. Additionally, ongoing research and collaboration among cybersecurity professionals are necessary to stay ahead of this evolving threat landscape.