Tofsee

Also known as: Gheg

According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.

Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.

C2 Infrastructure

Hosting/VPS100%

Last 7 days

Apr 19, 2026

C2 Hosts: 4

Apr 18, 2026

C2 Hosts: 4

Apr 17, 2026

C2 Hosts: 4

Apr 16, 2026

C2 Hosts: 4

Apr 15, 2026

C2 Hosts: 5

Apr 14, 2026

C2 Hosts: 6

Apr 13, 2026

C2 Hosts: 5

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Apr 19, 2026	4
Apr 18, 2026	4
Apr 17, 2026	4
Apr 16, 2026	4
Apr 15, 2026	5
Apr 14, 2026	6
Apr 13, 2026	5

Further Reading

Information on GovCERT

How To Guide | Neutralizing Tofsee Spambot â Part 1 | Binary file vaccine | Spamhaus Technology

How To Guide | Neutralizing Tofsee Spambot â Part 2 | InMemoryConfig store vaccine | Spamhaus Technology

How To Guide | Neutralizing Tofsee Spambot â Part 3 | Network-based kill switch | Spamhaus Technology

Virus Bulletin :: Tofsee botnet

The spam botnet Tofsee can be divided into three components: loader, core module and plug-ins. Ryan Mi describes how the components communicate with the C&C server, and how they work with one another.

virusbulletin.com

Terror EK via Malvertising delivers Tofsee Spambot

Summary: This was a great find, Terror EK in the wild from malvertising. The landing page appeared to be in the compromised site itself and was not loaded from an iframe, etc. The site just display…

zerophagemalware.com