Cisco Blogs

Want Tofsee My Pictures? A Botnet Gets Aggressive

- September 29, 2016 - 1 Comment

This post was authored by Edmund Brumaghin


Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Earlier this year, Talos published a blog post discussing how the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Malvertising is a technique commonly used by exploit kits to infect users that browse web sites that are serving compromised advertisements. This activity seemed to disappear in June, however Talos has recently observed a marked increase in the volume and velocity of spam email campaigns containing malicious attachments that are being used to distribute Tofsee.



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


    This is what I call Tofsee 101 reading and learning at a glance, without losing details. Excellent Edmund Brumaghin blog post. Thank you for sharing it. Deeply appreciated.