A Chinese cyber espionage group known as ToddyCat has been targeting telecommunications organizations and governments in Central and Southeast Asia since at least 2021  . This campaign, called “Stayin’ Alive,” involves spear-phishing emails containing archive files that exploit a DLL sideloading vulnerability in Audinate’s Dante Discovery software .
ToddyCat’s campaign, “Stayin’ Alive,” utilizes spear-phishing emails with archive files that exploit a DLL sideloading vulnerability in Audinate’s Dante Discovery software . The group primarily targets telecommunications organizations and governments in Central and Southeast Asia  . CheckPoint Research has identified various loaders and downloaders used as initial infection vectors against high-profile Asian organizations in Kazakhstan , Uzbekistan  , Pakistan  , and Vietnam  . One of these tools , called CurKeep , is deployed by running a legitimate executable signed by Zoom , which loads the dal_keepalives[dot ]dll. ToddyCat also employs custom-made tools like CurLu, CurCore  , and StylerServ for downloading and running additional payloads. These tools are simplistic in nature and likely disposable . Despite the simplicity of their tools, ToddyCat’s activities are difficult to detect and track, although their command-and-control infrastructure is easily identifiable .
ToddyCat’s cyber espionage campaign poses a significant threat to telecommunications organizations and governments in Central and Southeast Asia. Their use of spear-phishing emails and exploitation of DLL sideloading vulnerabilities highlights the need for improved email protection and endpoint detection and response. While ToddyCat’s activities may be challenging to detect, their command-and-control infrastructure provides an opportunity for defense and mitigation. A layered approach that includes email protection and endpoint detection and response is recommended to defend against ToddyCat and similar cyber threats.