The advanced persistent threat (APT) group known as ToddyCat has been observed using a new set of malicious tools to conduct espionage campaigns against government and military entities in Europe and Asia. Cybersecurity researchers have identified two new malware components, dubbed ‘Samurai’ and ‘Ninja’, specifically designed to exfiltrate sensitive data from compromised networks.

These attacks have targeted high-profile organizations, leveraging sophisticated tools to maintain persistence and steal valuable information. The campaign demonstrates the group’s evolving capabilities and focus on data theft from Microsoft environments.

The ‘Samurai’ Backdoor: A Tool for Data Exfiltration

One of the primary tools in ToddyCat’s new arsenal is the ‘Samurai’ backdoor. This malware is a passive backdoor, meaning it does not actively initiate communication with its command-and-control (C2) server. Instead, it waits for specific network packets to arrive, upon which it executes commands. The primary function of Samurai is file exfiltration. It is specifically programmed to locate and steal Microsoft Outlook data files, including both offline storage tables (.ost) and personal storage tables (.pst). The malware achieves this by searching for these files on compromised systems and uploading them to attacker-controlled infrastructure.

Gaining Cloud Access with the ‘Ninja’ Trojan

In addition to the Samurai backdoor, ToddyCat employs the ‘Ninja’ trojan. This tool is used in the post-exploitation phase of an attack, after initial access to a network has been established. Ninja is designed to help the attackers move laterally within a network and gain access to Microsoft 365 accounts. It allows the threat actors to control compromised Microsoft Exchange servers. From this position, Ninja can inspect network traffic, identify credentials, and intercept session cookies. These captured credentials and tokens are then used to access cloud-based email accounts and other Microsoft 365 services, enabling further data theft directly from the cloud.

Source: https://thehackernews.com/2025/11/toddycats-new-hacking-tools-steal.html