Derp.ca
← All malware

Tofsee

Also known as: Gheg

According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.

Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.

Last 7 days

Mar 2, 2026
SHAs
1
C2 Total
2
C2 Unique
2
C2 New
2

Behavioral Tags

discovery100%defense_evasion100%execution100%persistence100%privilege_escalation100%trojan100%

MITRE ATT&CK Techniques

T1082System Information Discovery
100%

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

T1012Query Registry
100%

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

T1112Modify Registry
100%

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

T1489Service Stop
100%

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

T1543.003Windows Service
100%

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

T1546.007Netsh Helper DLL
100%

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.

T1547.001Registry Run Keys / Startup Folder
100%

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

T1562Impair Defenses
100%

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

T1562.004Disable or Modify System Firewall
100%

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.

T1569.002Service Execution
100%

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads.

T1614.001System Language Discovery
100%

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Port Distribution

*100% · 2 hosts

Further Reading

Information on GovCERT
govcert.ch
How To Guide | Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine | Spamhaus Technology
spamhaus.com
How To Guide | Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine | Spamhaus Technology
spamhaus.com
How To Guide | Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch | Spamhaus Technology
spamhaus.com
Virus Bulletin :: Tofsee botnet

The spam botnet Tofsee can be divided into three components: loader, core module and plug-ins. Ryan Mi describes how the components communicate with the C&C server, and how they work with one another.

virusbulletin.com
Terror EK via Malvertising delivers Tofsee Spambot

Summary: This was a great find, Terror EK in the wild from malvertising. The landing page appeared to be in the compromised site itself and was not loaded from an iframe, etc. The site just display…

zerophagemalware.com