MalwareRansomware

Tofsee

Tofsee, also known as Gheg, is a modular C/C++ malware family primarily associated with spam botnet operations. High-confidence reporting in the provided content states that it is designed to send spam email and also supports broader botnet activity including cryptocurrency mining, theft of login and email credentials, and downloading additional malware, commonly ransomware or banking trojans. The malware uses techniques to evade detection and maintain persistence on infected Windows systems.

The content describes Tofsee as storing chained configuration data locally so it can survive reboots. Reported storage locations include %USERPROFILE%:.repos, %USERPROFILE%\Local Settings:.repos, %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos, %USERPROFILE%\wincookie.repos, and the registry keys HKEY_CURRENT_USER\Control Panel\Buses\Config0 and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Buses\Config0. Stored configuration data is encoded with a simple XOR algorithm. The work_srv and start_srv configuration structures are specifically noted as important because they are retrieved during the initial command-and-control connection.

The malware has been referenced as a plugin-based spambot and as a botnet that has dropped follow-on payloads. One cited report notes that Tofsee has previously been propagated via the C++-based loader PrivateLoader. Another report links Tofsee to spam-delivery activity in campaigns distributing Strela Stealer, where Tofsee was used as a botnet-origin source for spam while separate infrastructure hosted the first-stage malware.

The content also describes a newer Tofsee botnet variant tracked by Dragos as “Tesseract.” Dragos assessed that darkteam.store may have functioned as a check-in location for infected systems, and observed 12,735 likely Tofsee-infected IPs using 271 unique user agents to access a non-public page on that site with a user-agent containing the artifact “Tesseract/1.0.” Dragos identified three JA3 hashes attributed to this variant: 5732cd1c2c85c7548ef840e05f42feec, 45728c30345dddda40cd01ee2f7a4c8e, and 9f681ac5cde4d035b5d3dc040bda1a34. The same reporting states that some JA3 hashes associated with this botnet overlap with legitimate browser JA3 hashes. Dragos also provided two SHA-256 hashes labeled as Tofsee botnet malware: 6ce6c04ffb7f0ac158c0e340b52d2ebdb48fd089bd24c6fdbf81947bce0e476d and 2701f35430167bbb99f334c81088af75f8209a07cb1bcbf9c765a4968af2fbaa.

A vulnerability described in the content affects Tofsee itself: improper length validation during CRC32 processing of packet data. A crafted ResourceStructure packet with a manipulated 4-byte len field can cause an out-of-bounds read when update_config_resource passes data for CRC32 calculation during InmemoryConfig parsing, potentially crashing the malware process.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1585Establish AccountsEvidence1

Tofsee, also known as Gheg, is a sophisticated modular malware primarily designed to send spam email along with other full-fledged botnet activities

Persistence

1 technique

T1112Modify RegistryEvidence1

Registry storage 1: HKEY_CURRENT_USER\Control Panel\Buses\Config0 2: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Buses\Config0

Privilege Escalation

1 technique

T1548.002Bypass User Account ControlEvidence1

The implant employs a UAC bypass using the CMSTPLUA COM interface... This is a 64-bit loader DLL that does a UAC bypass trick... tries to execute... fodhelper.exe ... ComputerDefaults.exe

Stealth

2 techniques

T1036MasqueradingEvidence1

The malware is written in C/C++ and uses various techniques to avoid detection and remain persistent on infected systems.

T1564.004NTFS File AttributesEvidence1

The various configuration storage locations are: File Storage 1 %USERPROFILE%:.repos (ADS)

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

Registry storage 1: HKEY_CURRENT_USER\Control Panel\Buses\Config0 2: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Buses\Config0

Credential Access

1 technique

T1555Credentials from Password StoresEvidence1

along with other full-fledged botnet activities such as mining and stealing login and email credentials

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

The config stores of particular interest to us are the work_srv and start_srv structures. Both are retrieved during the initial C&C connection of the Tofsee botnet.

T1105Ingress Tool TransferEvidence1

as well as downloading further malware. Generally, the additional malware downloaded is either ransomware or banking Trojans.

T1132Data EncodingEvidence1

A simple Tofsee xor algorithm encodes the data stored in one of these places

Impact

1 technique

T1499Endpoint Denial of ServiceEvidence1

we can craft a packet with a size greater than the buffer, causing an out-of-bounds read error, leading to a crash... Due to the manipulated value of len, an out-of-bound read exception is created, ultimately resulting in the binary crashing.

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app1 month ago

ip.v4●●●●●●●●●●●●View more in app1 month ago

hash.md5●●●●●●●●●●●●View more in app5 years ago

hash.sha256●●●●●●●●●●●●View more in app5 years ago

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

bitsightNews

Jun 24, 2026

Bitsight Aids Disruption Efforts on Amadey & StealC Malware | Bitsight

Botnet referenced as part of the commodity malware pipeline and observed dropping follow-up payloads.

the hacker newsNews

Oct 3, 2025

Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer

Botnet used to originate/distribute spam emails in the described campaigns; historically propagated via the PrivateLoader loader.

scworldNews

Aug 29, 2025

State-sponsored attacks now make up 53% of vulnerability exploits

An older malware family known for spamming and botnet activities, experiencing a resurgence in 2025.

spamhaus blogNews

Apr 1, 2023

Malware | Neutralizing Tofsee Spambot #2 | InMemoryConfig store vaccine

Tofsee stores chained configuration data in multiple file and registry locations on infected systems, encodes it with a simple XOR algorithm, and retrieves key configuration structures during its initial command-and-control connection.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.