TomBerBil
TomBerBil is a ToddyCat-associated credential theft malware family used to steal browser secrets and support access to corporate correspondence in compromised environments. Reported variants have been implemented in C++, C#, and PowerShell. The malware targets browser data protected with Windows DPAPI, including cookies and passwords from Chrome and Edge, by enumerating explorer.exe processes, identifying logged-in users, impersonating those users, extracting the browser master key from the Local State file, and querying Login Data and Cookies SQLite databases. At least one variant masqueraded as Kaspersky software using the filename avpui.exe and Kaspersky-like metadata.
Recent reporting states that intrusions observed between May and June 2024 involved a PowerShell-based TomBerBil variant that copied files containing user encryption keys leveraged by DPAPI and added Mozilla Firefox data extraction capability. This version reportedly ran on domain controllers from a privileged user context and accessed browser files over shared network resources via SMB. The modified TomBerBil family was described as ineffective at evading monitoring tools, which led the threat actor to seek alternative methods for accessing critical data.
TomBerBil is associated with the ToddyCat APT group, which has targeted governmental, defense-related, and other organizations in Asia-Pacific, Europe, and Asia according to the cited reporting. The malware has been used alongside other ToddyCat tooling focused on stealing Outlook data and authentication material. High-confidence behavioral indicators mentioned in the content include user impersonation via explorer.exe token duplication, decryption of DPAPI-protected browser data, extraction of Chrome/Edge cookies and passwords, Firefox data extraction in the PowerShell variant, operation from privileged contexts on domain controllers, SMB-based access to browser files, and masquerading as Kaspersky through avpui.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This is the exact same mechanism used by another tool in the group’s arsenal, TomBerBil, which we covered previously.
Такую же схему использует и другой инструмент группы — TomBerBil, о котором мы рассказывали ранее.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 technique
Privilege Escalation
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Другой инструмент ToddyCat, упомянутый как использующий аналогичную схему получения пользовательского контекста через копирование токена explorer.exe.
Tool family used by ToddyCat APT in attempts to access/steal corporate email/correspondence; modified variants were detected by monitoring tools per the report summary.
PowerShell-based malware used in ToddyCat intrusions to copy DPAPI-related files containing user encryption keys and to extract Mozilla Firefox data.
TomBerBil is a malware family used by ToddyCat to steal browser cookies, credentials, and history from browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. It can run on domain controllers and access browser files over SMB, and is capable of extracting and decrypting data protected by Windows DPAPI.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.