TCSectorCopy
TCSectorCopy is a C++ utility used by the ToddyCat APT to extract Microsoft Outlook Offline Storage Table (OST) files from compromised corporate systems. It opens the disk as a read-only device and copies OST files sector by sector, bypassing file-lock mechanisms enforced while Outlook is running. Reporting states that ToddyCat used TCSectorCopy in post-exploitation activity to steal corporate email correspondence from environments using on-premises Exchange or cloud-based mail systems. Extracted OST files were subsequently processed with the open-source XstReader tool to parse OST/PST archives and access email contents. The activity is associated with ToddyCat espionage operations targeting high-profile organizations in Europe and Asia, including government and military networks. One mention notes the tool was also referred to as "xCopy.exe." The provided content indicates that related reporting included malicious filenames, paths, and directories as indicators of compromise, but no specific IOC values for TCSectorCopy are included here.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
„ToddyCat setzt dazu ein Tool namens TCSectorCopy ein – ein C++-Dienstprogramm, das die Festplatte als schreibgeschütztes Gerät öffnet und die Offline-Speicherdateien (OST) von Outlook kopiert, wobei alle Dateisperrmechanismen … umgangen werden.“
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Collection
1 technique"attempt to gain access to corporate correspondence files in the local Outlook storage... attackers created a specialized tool called TCSectorCopy."
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Specialized utility used to copy Microsoft Outlook OST files (local cached mailbox data) for email data theft.
C++-Dienstprogramm, das Datenträger im Read-only-Modus öffnet, um Outlook-OST-Dateien zu kopieren und dabei Outlook-Dateisperren zu umgehen, um E-Mail-Daten zur Exfiltration zu erlangen.
C++ utility used to exfiltrate Outlook offline storage (OST) by performing sector-by-sector copying from a read-only disk handle, bypassing file locks to obtain mail archives for later parsing.
TCSectorCopy is a custom tool written in C++ used by ToddyCat to copy Microsoft Outlook OST files sector by sector, bypassing file access restrictions. It enables attackers to exfiltrate corporate email data for further analysis and extraction.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.