LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted systems.[1]

ID: S1101
Platforms: Windows
Version: 1.0
Created: 19 January 2024
Last Modified: 19 January 2024

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

LoFiSe can collect files into password-protected ZIP-archives for exfiltration.[1]

Enterprise T1119 Automated Collection

LoFiSe can collect all the files from the working directory every three hours and place them into a password-protected archive for further exfiltration.[1]

Enterprise T1005 Data from Local System

LoFiSe can collect files of interest from targeted systems.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

LoFiSe can save files to be evaluated for further exfiltration in the C:\Programdata\Microsoft\ and C:\windows\temp\ folders. [1]

Enterprise T1083 File and Directory Discovery

LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

LoFiSe has been executed as a file named DsNcDiag.dll through side-loading.[1]

Groups That Use This Software

ID Name References
G1022 ToddyCat