tchTowr is a threat actor handle identified in reporting on criminal competition around compromised internet-exposed FreePBX, Elastix, Issabel, and Sangoma systems used for VoIP toll fraud and International Revenue Share Fraud. In the cited reporting, tchTowr is not described as the primary operator of the observed malware campaign; rather, artifacts associated with tchTowr were explicitly targeted for removal by a newer FreePBX malware variant deployed via the VictamPbx webshell. The malware removed competitor-associated FreePBX and OS accounts including "tchTowr" and deleted files matching rival signature strings as part of a territorial effort to gain exclusive control of vulnerable PBX infrastructure. The reporting places tchTowr alongside other competing criminal actors including Juba VoIP, Nahda, Badr/b3d0r, nvd0rz, and yokyok. Mentioned context also suggests the nvd0rz and tchTowr handles may represent distinct competing operations with different regional origins. No nation-state attribution is provided in the content. Known alias in the content: tchtowr / tchTowr.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.