Ninja Trojan

Ninja Trojan is a sophisticated C++ post-exploitation malware family associated with the ToddyCat APT, an espionage-focused cluster active since at least December 2020. Reporting describes Ninja as part of an unknown ToddyCat post-exploitation toolkit and notes it was deployed in some intrusions by the Samurai backdoor. ToddyCat targeted high-profile entities in Europe and Asia, including government, military, defense-related, and other prominent organizations; early activity involved compromise of Microsoft Exchange servers in Taiwan and Vietnam, including exploitation of Exchange vulnerabilities such as ProxyLogon, while later activity also included desktop-focused delivery via Telegram ZIP archives containing Ninja loaders.

Ninja provides broad operator functionality for post-compromise operations. Documented capabilities include process enumeration and management, filesystem management and operations, multiple reverse shells, process injection, runtime module or plugin loading, and TCP proxying or forwarding between command-and-control and internal hosts. It supports multi-session operator use, can act as a local pivot node relaying traffic for other agents, and can communicate over HTTP, HTTPS, or raw TCP. Its network traffic can be camouflaged through customizable HTTP headers and URL paths in a manner compared to malleable C2 concepts. It also includes a configurable working-time feature to restrict activity to specific time windows and can be reconfigured remotely.

Observed delivery and loading chains include multiple 64-bit DLL loader variants used by ToddyCat. These loaders were executed either via rundll32.exe or through DLL side-loading with legitimate signed executables such as vlc.exe. They decrypted XOR-obfuscated payloads from files in the same directory and then either loaded the next-stage DLL into the current process or injected shellcode into a newly created wusa.exe process. A tailored loader variant stored an encrypted payload at %CommonApplicationData%\Local\user.key and bound decryption to host-specific disk and volume identifiers, assessed as supporting long-term persistence. Additional persistence linked to Ninja deployment included svchost-based service abuse: ToddyCat created or modified service configuration and registry values so svchost.exe would load a malicious ServiceDll, commonly %ProgramFiles%\Common Files\System\apibridge.dll, including use of FontCacheSvc-related registry paths and SvcHost grouping changes.

A newer Ninja version reportedly changed configuration obfuscation from XOR 0xAA to a NOT operation. Reported command-and-control indicators for Ninja include hxxps://solitary-dawn-61af.mfeagents.workers[.]dev/collector/3.0/, IP 149.28.28[.]159, and domain eohsdnsaaojrhnqo.windowshost[.]us.