Skip to content

S1100 Ninja

Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.1

Item Value
ID S1100
Associated Names
Type MALWARE
Version 1.1
Created 11 January 2024
Last Modified 22 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Ninja can use HTTP for C2 communications.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Ninja can create the services httpsvc and w3esvc for persistence .1
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding Ninja can encode C2 communications with a base64 algorithm using a custom alphabet.1
enterprise T1001 Data Obfuscation Ninja has the ability to modify headers and URL paths to hide malicious traffic in HTTP requests.1
enterprise T1001.003 Protocol or Service Impersonation Ninja has the ability to mimic legitimate services with customized HTTP URL paths and headers to hide malicious traffic.1
enterprise T1140 Deobfuscate/Decode Files or Information The Ninja loader component can decrypt and decompress the payload.12
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Ninja can XOR and AES encrypt C2 messages.1
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying Ninja can store its final payload in the Registry under $HKLM\SOFTWARE\Classes\Interface\ encrypted with a dynamically generated key based on the drive’s serial number.1
enterprise T1083 File and Directory Discovery Ninja has the ability to enumerate directory content.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Ninja loaders can be side-loaded with legitimate and signed executables including the VLC.exe media player.2
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp Ninja can change or create the last access or write times.1
enterprise T1559 Inter-Process Communication Ninja can use pipes to redirect the standard input and the standard output.1
enterprise T1680 Local Storage Discovery Ninja can obtain information on physical drives from targeted hosts.12
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.2
enterprise T1106 Native API The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.12
enterprise T1095 Non-Application Layer Protocol Ninja can forward TCP packets between the C2 and a remote host.12
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.013 Encrypted/Encoded File The Ninja payload is XOR encrypted and compressed.2 Ninja has also XORed its configuration data with a constant value of 0xAA.12
enterprise T1027.015 Compression Ninja has compressed its data with the LZSS algorithm.12
enterprise T1566 Phishing -
enterprise T1566.003 Spearphishing via Service Ninja has been distributed to victims via the messaging app Telegram.1
enterprise T1057 Process Discovery Ninja can enumerate processes on a targeted host.12
enterprise T1055 Process Injection Ninja has the ability to inject an agent module into a new process and arbitrary shellcode into running processes.12
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Ninja can proxy C2 communications including to and from internal agents without internet connectivity.12
enterprise T1090.003 Multi-hop Proxy Ninja has the ability to use a proxy chain with up to 255 hops when using TCP.1
enterprise T1029 Scheduled Transfer Ninja can configure its agent to work only in specific time frames.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Ninja loader components can be executed through rundll32.exe.2
enterprise T1082 System Information Discovery Ninja can obtain the computer name and information on the OS from targeted hosts.12
enterprise T1016 System Network Configuration Discovery Ninja can enumerate the IP address on compromised systems.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Ninja has gained execution through victims opening malicious executable files embedded in zip archives.1

Groups That Use This Software

ID Name References
G1022 ToddyCat 1

References

  1. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  2. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.