Chinese Stayin Alive Attacks Dance Onto Targets With Dumb Malware

A sophisticated APT known as ToddyCat, sponsored by Beijing, is cleverly using unsophisticated malware to keep defenders off their trail.

Chinese advanced persistent threats (APTs) are known for being sophisticated, but the ToddyCat group is bucking the trend, compromising telecommunications organizations in Central and Southeast Asia using a constantly evolving arsenal of custom-developed, but very simple, backdoors and loaders.
ToddyCat was first discovered last year
, though it has been in operation since at least 2020. According to Check Point, it has previously been linked with Chinese espionage operations.
In
a blog post published this week,
Check Points researchers described how the group is staying nimble these days: by deploying, and just as quickly throwing away, cheap malware it can use to drop its payloads.
Victims of its latest Stayin Alive campaign — active since at least 2021 — include telcos from Kazakhstan, Pakistan, Uzbekistan, and Vietnam. The precise extent of their reach, and whether they caused any damage, are yet unknown.
Stayin Alive attacks begin with spear phishing emails containing archive files. Once executed, the archive files are designed to take advantage of
CVE-2022-23748
, a 7.8 out of 10 High criticality DLL sideloading vulnerability in
Dante AV systems software
. ToddyCat uses such DLL sideloading — a popular technique,
especially among Chinese threat actors
— to drop loaders and downloaders onto targeted devices.
These loaders and downloaders are not nearly to the specs one would expect of a high-level, state-affiliated threat actor, explains Sergey Shykevich, threat intelligence group manager at Check Point.
They have relatively basic functionality, but theyre good enough to achieve initial goals, like allowing the attacker to get basic reports about infected machines: computer name, user name, system info, some directories, and so on. They also include the functionality of shelling, allowing the execution of any command the attacker wants, he explains.
Our assumption is that via the shell, they were able to implement additional backdoors and modules, he adds, though the research didnt extend to finding out what payloads they ultimately did deploy.
Though at first it might seem lazy or ineffectual, there is a reasoning behind using such basic tools instead of more sophisticated, multifunctional weapons of cyberwar.
The smaller the tool, the more difficult it is to detect, Shykevich explains. And also, when its a small tool, its relatively easy to adjust it to a target.
Easier to adjust, and less expensive to throw away. Typically, researchers identify and track APTs by cross-referencing details between different attacks. With ToddyCat, however, its impossible to do that — each of its malware samples has zero discernible overlap with known malware families, or even with one another. The researchers expect that theyre likely discarded for new samples even after little use. The small changes mean that you can catch one of them, but it wont be so straightforward to catch all the others. It will require some additional work, Shykevich says.
That said, ToddyCat is undone by the fact that each sample traces back to its easily identifiable command-and-control (C2) infrastructure.
To defend against such a nimble attacker, Shykevich recommends a layered approach. The first layer here, for example, was the email — you should have proper email protection to identify a malicious attachment, he advocates. But another level is endpoint detection and response (EDR) endpoints, to identify for example the DLL sideloading and malicious shell activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinese Stayin Alive Attacks Dance Onto Targets With Dumb Malware