ToddyCat APT Targets M365 Tokens & ESET Flaws

December 3, 2025

Date: 2025-11-28 | Classification: TLP:CLEAR

Executive Summary

🔍 ToddyCat is a China-linked advanced persistent threat (APT) active since at least 2020 and focused on long-term espionage against government, defense, and other high-value organizations. In 2024–2025 the group upgraded its toolkit and techniques: moving beyond browser credential theft to directly exfiltrating Outlook mail archives (OST/PST) and harvesting Microsoft 365 OAuth2 access tokens.

🚨 Key changes observed: new tools (TomBerBil/TomBerBill PowerShell variants, TCSectorCopy/xCopy sector copier, TCESB version[.]dll proxy) and token extraction techniques (SharpTokenFinder, ProcDump-based memory dumps) combined with exploitation of CVE-2024-11859 in ESET and BYOVD techniques (DBUtilDrv2[.]sys / CVE-2021-36276) to evade protections.

Risk: High for organizations using ESET products without the April 2025 patch, organizations with lax SMB auditing, or those relying solely on host-based monitoring without cloud token protections.

Investigation Scope

Objective: Deep-dive on ToddyCat APT — tooling, TTPs, campaign timeline, and full IOC enrichment across public vendor reporting and open-source intelligence.
Timeframe: Earliest public reporting (~2020) through Nov 2025 (inclusive).
Sources: Kaspersky Securelist technical reports (primary), ESET advisory (CA8810), vendor reporting (DarkReading, CSO Online, TheHackerNews), Protos Threat Feed and VirusTotal enrichment attempts, and passive infrastructure lookups (WhoisXML DNS, Shodan, FOFA). Raw tool outputs are logged in system tool logs for reviewer verification.

Key Findings

High Confidence

ToddyCat evolved to target Outlook OST/PST files and Microsoft 365 access tokens in 2024–2025. (Evidence: Kaspersky Securelist detailed analyses; ESET advisory; media corroboration.)
TCESB (malicious version[.]dll) implements DLL-proxying and kernel-level modifications; Kaspersky provides detailed code analysis and sample hashes (some samples appear vendor-private). (Evidence: Kaspersky Securelist.)
CVE-2024-11859 (ESET DLL search-order hijacking) is a real vulnerability patched by ESET in April 2025; vendors observed ToddyCat attempting to abuse it. (Evidence: ESET advisory CA8810; Kaspersky analysis.)
TomBerBil/TomBerBill (PowerShell family) is used from domain controllers to collect browser artifacts and DPAPI keys across SMB shares; TCSectorCopy copies OST files at block/sector level for offline parsing by XstReader. (Evidence: Kaspersky Securelist.)

Medium Confidence

Several file hashes and artifacts reported by vendors (version[.]dll hashes, xCopy[.]exe, ip445[.]ps1, stf[.]exe) are accurate as reported by Kaspersky but were not found in public VirusTotal/Protos feeds during enrichment — likely vendor-private samples. (Evidence: Protos and VT queries logged.)
Protos Threat Feed matched ip445[.]ps1 to a STIX record referencing an obfuscated PS1 download URL pattern (ps1-local[.]com/obfs3ip2[.]bs64). The domain showed no DNS/Shodan footprint during queries and may be short-lived, sinkholed, or attacker-controlled with limited exposure. (Evidence: Protos feed result; WhoisXML DNS and Shodan/FOFA queries returned no records.)

Low / Insufficient Confidence

Public enrichment of some vendor-supplied hashes via VirusTotal returned 404 (not found); without vendor-provided sample artifacts or broader sharing, public enrichment is limited. (Evidence: VT API responses.)

Technical Analysis & MITRE ATT&CK Mapping 🔍

TCSectorCopy / xCopy (OST export): T1114 (Email Collection) — HIGH
Browser cookie/token theft & DPAPI extraction: T1555.003 (Credentials from Web Browsers), T1003 (OS Credential Dumping) — HIGH
SharpTokenFinder / ProcDump memory dumping of Outlook for tokens: T1003 — HIGH
DLL Search Order Hijacking (version[.]dll / CVE-2024-11859): T1574.008 — HIGH
Kernel-level defense suppression via TCESB: T1562.001 — HIGH
Scheduled tasks and lateral SMB collection (TomBerBil/TomBerBill): T1053.005, T1021.002 — HIGH
Exploitation of vulnerable drivers (DBUtilDrv2[.]sys / CVE-2021-36276): T1068 — MEDIUM

TTPs and Observed Behaviors

Phase	Observed TTP / Behavior	MITRE ATT&CK (ID)	Tools / Artifacts (defanged)	Evidence (source)	Confidence	Detection / Hunting Notes
Initial Access	Exploitation of internet-facing services (Exchange) and credential phishing	T1190, T1566	n/a (behavioral)	Vendor reporting (historical)	Medium	Monitor Exchange/IIS logs for unusual POST/GET patterns, brute-force or webshell indicators; alert on atypical auth locations.
Execution	PowerShell execution on DCs with bypass flags (scheduled task: `powershell -exec bypass -command "c:\programdata\ip445[.]ps1"`)	T1059.001 (PowerShell)	`ip445[.]ps1` (script)	Kaspersky Securelist	High	Enable ScriptBlockLogging and ModuleLogging; SIEM rule for scheduled tasks launching PowerShell with `-exec bypass` from privileged hosts.
Persistence	Scheduled tasks created on domain controllers to run collection scripts	T1547	Scheduled tasks calling PowerShell scripts	Kaspersky Securelist	High	Alert on scheduled task creation/modification (EventID 4698/4702) on DCs that reference ProgramData or temp paths.
Lateral Movement	SMB enumeration and copying of user profile/browser files via admin shares (`\\c$\\users\\`)	T1021.002	SMB transfer of browser/DPAPI files	Kaspersky Securelist	High	Monitor EventID 5145 SMB share access; hunt for DCs accessing many user profiles or mass copies of browser/profile files.
Credential Access	Steal browser credentials & DPAPI master keys (copy `Login Data`, `Local State`, `Cookies`, `%AppData%\\Microsoft\\Protect`)	T1555.003 (Credentials from Web Browsers), T1003 (OS Credential Dumping)	Browser files; `Microsoft\\Protect` files (defanged)	Kaspersky Securelist	High	Audit access to browser profile paths and DPAPI master key folders; alert on remote reads of `%AppData%` locations.
Defense Evasion	DLL proxying / search-order hijack (malicious `version[.]dll`), kernel callback modification via BYOVD using signed vulnerable driver	T1574 (Hijack Execution Flow), T1211 (Exploitation for Defense Evasion)	`version[.]dll` (malicious proxy), `DBUtilDrv2[.]sys` (vulnerable signed driver)	Kaspersky Securelist; ESET advisory (CVE-2024-11859)	High	Detect duplicate `version.dll` outside system dirs; monitor driver install events and known vulnerable signed drivers; watch for Microsoft PDB downloads on non-debug hosts.
Defense Evasion (tooling)	`TCESB` disables security notifications by modifying kernel structures; fetches symbol info for offsets	T1562 (Impair Defenses), T1574 (variant)	`TCESB` (malicious DLL)	Kaspersky Securelist	High	Monitor for unusual kernel symbol fetching and callback changes; alert on tools that attempt to modify kernel callbacks.
Credential & Token Access	Memory-dump of Office processes to extract OAuth2/JWT tokens (SharpTokenFinder or ProcDump usage)	T1055 (Process Injection / memory), T1539 (Steal Web Session Cookie)	`SharpTokenFinder`, `procdump64[.]exe -accepteula -ma OUTLOOK[.]exe`	Kaspersky Securelist	High	Alert on ProcDump usage with command line containing `OUTLOOK.exe`; watch for LSASS/Office memory dump patterns and anomalous handle access.
Collection	Sector-by-sector copy of locked OST files (raw disk), offline export (XstReader/XstExport)	T1005 (Data from Local System), T1114 (Email Collection)	`xCopy[.]exe` / `TCSectorCopy`, `XstExport[.]exe`, `SectorCopy[.]pdb`	Kaspersky Securelist	High	Sysmon EventID 9 (`RawAccessRead`) for raw disk reads; alert on processes doing raw reads and temp copies of `.ost` files (names with “@”).
Exfiltration	Archive and transfer collected OST/browser artifacts via SMB; use stolen tokens to access M365 mailboxes externally	T1041 (Exfiltration Over C2 Channel), T1567 (Exfiltration Over Web Service)	`dmp.rar` archives, SMB transfers, cloud API usage via stolen tokens	Vendor reporting + enrichment feeds	High	Monitor for mass archive creation and unusual SMB transfers; in cloud, detect large mailbox read/export via Graph/EWS from novel IPs or service principals.
Impact / Persistence	Token reuse allows long-term mailbox access even after host remediation	T1078 (Valid Accounts) / persistence via cloud tokens	Stolen OAuth2 tokens (defanged)	Vendor reporting	High	Revoke tokens and reset creds on suspected compromise; enable Continuous Access Evaluation/Conditional Access and rotate refresh tokens.

‍

Detection & Hunting Playbook 🎯

Hunt for process memory dumps referencing OUTLOOK[.]exe or large .dmp files in user or temp directories; look for ProcDump command-lines similar to: procdump64[.]exe -accepteula -ma OUTLOOK[.]exe. (High priority)
Detect the presence of version[.]dll or other system DLL names in temp or application directories; verify digital signatures and unusual file owner/source. (High priority)
Monitor for suspicious raw-disk reads or DeviceIoControl / IoControl calls to physical devices by non-standard processes; correlate with creation/copying of large OST/PST files (SectorCopy/xCopy artifacts). (High priority)
Alert on scheduled task creation by unusual accounts or on domain controllers; correlate with SMB connections to user profile shares and mass copying of AppData and browser stores (EventID 5145 / SMB audit logs). (Medium priority)
Inventory drivers; alert on loading or installation of drivers known to be vulnerable (e.g., DBUtilDrv2[.]sys CVE-2021-36276). (Medium priority)
Harden Microsoft 365: monitor token creation/refresh events, anomalous session activity, enforce CA, short token lifetimes and continuous access evaluation (CAE); rotate and revoke tokens after suspected compromise. (High priority)

Recommendations (Prioritized) 🚨

Patch ESET products immediately to versions addressing CVE-2024-11859; verify patch rollout. (Critical)
Revoke and rotate OAuth tokens for suspected accounts; enforce conditional access policies (MFA + device compliance). (High)
Identify and remediate vulnerable signed drivers (e.g., DBUtilDrv2[.]sys); restrict driver installation and enable kernel-mode signing enforcement. (High)
Deploy detections for ProcDump usage, suspicious IoControl/raw disk access, and DLLs loaded from non-system directories; tune SIEM/EDR to alert on relevant command-lines and file creation. (High)
Hunt for OST/PST exfiltration, SMB access patterns from domain controllers, and TomBerBil scheduled task artifacts; prepare containment and token-revocation playbooks. (High)
Reduce administrative privileges and restrict lateral SMB access from domain controllers; apply least privilege. (Medium)
Enable detailed logging for process creation, driver loads, kernel events, and DNS queries; centralize telemetry for rapid correlation. (Medium)

IOCs (Defanged) — Full list used in analysis

File hashes (reported by vendors; likely vendor-private in some cases)

D38E3830C8BA3A00794EF3077942AD96
008F506013456EA5151DF779D3E3FF0F
55092E1DEA3834ABDE5367D79E50079A
2320377D4F68081DA7F39F9AF83F04A2
B9FDAD18186F363C3665A6F54D51D3A0

Filenames & paths (defanged)

C:\programdata\ip445[.]ps1
C:\Windows\Temp\xCopy[.]exe
C:\Windows\Temp\XstExport[.]exe
c:\windows\temp\stf[.]exe
version[.]dll (malicious proxy)
O:\Projects\Penetration\Tools\SectorCopy\Release\SectorCopy[.]pdb

Tools / utilities

TomBerBil / TomBerBill (PowerShell script family)
TCSectorCopy / xCopy[.]exe
XstReader / XstExport[.]exe
SharpTokenFinder (token memory search utility)
ProcDump / procdump64[.]exe (e.g., procdump64[.]exe -accepteula -ma OUTLOOK[.]exe)

CVEs and vulnerable components

CVE-2024-11859 (ESET DLL search order hijacking) — HIGH
CVE-2021-36276 (DBUtilDrv2[.]sys) — MEDIUM

Notes: All IOCs are defanged. Several hashes were not present in public VirusTotal during enrichment and may require vendor sample submission for confirmation.

Evidence & Attribution

Primary technical evidence: Kaspersky / Securelist reports (detailed analysis), ESET advisory CA8810, DarkReading/CSO/TheHackerNews summaries, Check Point research newsletter, vendor advisories and CERT notices (ThaiCERT). Protos Threat Feed and VirusTotal enrichment attempts were performed during research; some items matched STIX records while several hashes returned 404 (not found) in public VT at time of checks.

Confidence: HIGH for core technical claims (OST copying, DLL hijacking, token extraction techniques); MEDIUM for specific file hashes and certain driver usage where vendor-private samples are referenced; LOW for infrastructure where public enrichment was not possible.

Recommended Next Steps for Analysts

Submit suspected samples (version[.]dll, xCopy[.]exe, ip445[.]ps1) and telemetry to vendor labs (Kaspersky/ESET/Check Point) or threat intelligence providers to obtain richer indicators and behavioral detections. (Actionable)
Run targeted hunts for OST/PST exfil artifacts, ProcDump usage, and scheduled tasks created by TomBerBil variants. Collect memory/process dumps for forensic analysis when safe and authorized. (Actionable)
Revoke compromised M365 tokens and perform account resets where token theft is suspected; implement conditional access and CAE. (Immediate)
If host compromise is confirmed: isolate, collect disk/memory images, and engage incident response vendors for deep sample analysis. (Actionable)

Limitations & Notes

Public enrichment of some vendor-supplied hashes returned no results in VirusTotal at the time of analysis; this suggests many samples are vendor-private or short-lived. Analysts should obtain vendor IOC bundles or samples for better enrichment.
I cannot perform sandbox detonations or internal telemetry queries in your environment; the recommendations here are what analysts should execute with appropriate tools and containment controls.

Closing Notes & Evidence

Prepared by: Threat Intelligence Analyst

Primary references and evidence are cited in the artifacts and system tool logs (Kaspersky Securelist, ESET advisory CA8810, DarkReading, CSO Online, TheHackerNews, Check Point research, ThaiCERT). Raw tool outputs are available for reviewer verification.

‍

Threat Intelligence Report: ToddyCat Deep Dive