TODDLERSHARK Malware: Here is what you should know. A Quick Glance.


TODDLERSHARK Malware: Here is what you should know. A Quick Glance.

TODDLERSHARK Malware: In the ever-evolving landscape of cybersecurity, a new malware variant dubbed TODDLERSHARK has recently emerged. This malware is being deployed by exploiting two critical vulnerabilities in ConnectWise ScreenConnect, namely CVE-2024-1708 and CVE-2024-1709.

Brief History of TODDLERSHARK Malware

TODDLERSHARK is a new iteration of malware that bears a striking resemblance to the BABYSHARK or ReconShark malicious strains. These strains have been leveraged by the North Korean Advanced Persistent Threat (APT) group known as Kimsuky. Kimsuky has been active since 2013, primarily targeting South Korea.

Current Status of TODDLERSHARK Malware

As of now, the TODDLERSHARK malware is being deployed post-exploitation of the ConnectWise ScreenConnect application. The infection chain is triggered by weaponizing the aforementioned vulnerabilities, which have been massively exploited by adversaries.

How It Works

The threat actor gains access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application. They then leverage their access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.

The initial payload downloaded by the MSHTA utility is a heavily obfuscated VB script, containing randomly generated functions and variable names along with large amounts of hexadecimal encoded code and additional junk code. The function names, variables names, junk code, and hexadecimal change each time the initial payload is downloaded, meaning the hash of the file being downloaded will never be the same twice.

TODDLERSHARK malware in a Nutshell.

“A new malware iteration dubbed TODDLERSHARK comes into the spotlight in the cyber threat arena, which bears a striking similarity with BABYSHARK or ReconShark malicious strains leveraged by the North Korean APT group known as Kimsuky APT.”

“The malware was used in post-compromise activity following exploitation of a ScreenConnect application. BABYSHARK has been associated, by several sources, with a threat actor Kroll track as KTA082 (Kimsuky). The malware utilized legitimate Microsoft binary and alternate data streams and exhibited elements of polymorphic behavior.”


The emergence of TODDLERSHARK underscores the importance of staying vigilant in the face of evolving cybersecurity threats. It is crucial to keep software up-to-date and apply patches as soon as they become available to mitigate the risk of such vulnerabilities being exploited. As the landscape of cyber threats continues to evolve, so too must our defenses.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment