The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Stayin Alive Campaign Targets Telecoms and Government Entities in Asia

Oct 27, 2023 1:54:59 PM / by The Hivemind

STAYINALIVERelated Families: CurKeep, CurCore, CurLog, CurLu, StylerServ
Verticals Targeted: Telecommunications, Government 

Executive Summary

The Stayin Alive campaign, perpetrated by ToddyCat, was observed targeting telecommunications and government entities in Asia.

Key Takeaways

  • The Stayin Alive campaign was observed targeting telecommunications and government entities in Asia.
  • Malware used in the campaign includes CurKeep, CurLu, CurCore, CurLog, and StylerServ. 
  • The campaign has been loosely attributed to the China nexus threat actor group known as ToddyCat.

The Campaign

Check Point Research recently reported on the ongoing Stayin Alive campaign, which is targeting telecommunications and government entities in Asia. Some of the targets thus far were located in Vietnam, Uzbekistan, Pakistan, and Kazakhstan.

The threat actors use spearphishing emails and DLL sideloading to deliver archive files on victim machines. They have also been observed leveraging CVE-2022-23748, a vulnerability in Audinate’s Dante Discovery Software. Post exploitation, the threat actors deploy loaders and downloaders in the victim environment to facilitate the delivery of additional malicious payloads.

Malware used in the campaign includes CurKeep, CurLu, CurCore, CurLog, and StylerServ. The campaign has been loosely attributed to the China nexus threat actor group known as ToddyCat.

The Malware

CurKeep is a backdoor. It is delivered via an infection chain that begins with an email containing a malicious ZIP attachment. The ZIP attachment contains two files, a legitimate signed .EXE and a side-loaded DLL. When executed, the legitimate executable runs first, which loads the DLL. The DLL then loads CurKeep. CurKeep is a small payload, at only 10kb, and has 26 functions.

CurLu is a loader and is often loaded via DLL sideloading. CurLu contacts the C2 and receives a DLL to load, then calls a predefined export.

CurCore is a compact backdoor with limited functionality. CurCore’s capabilities include creating a file and writing data to it, executing a remote command, reading a file, and returning its data encoded in base64.

CurLog is a loader that was mainly used in attacks targeting entities in Kazakhstan. Multiple variants exist. Some variants are executed through a DLL, and some via an EXE.

StylerServ is a backdoor. It differs from ToddyCat’s other loaders in that it acts as a passive listener, serving a specific file over high ports. 

Who is ToddyCat?

ToddyCat is a China nexus threat actor group known to engage in long-term espionage campaigns. Active since at least December 2020, the group is thought to be sophisticated and quick to adapt to changing target environments. ToddyCat is known to target high-profile entities in Europe and Asia. Government, military, and telecommunications entities are among ToddyCat’s victims. ToddyCat is known to use Ninja trojan, Samurai backdoor, and MiniNinja framework.


PolySwarm has multiple samples associated with this activity.



















You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -t StayinAlive


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog Subscribe to our reports.


Topics: Threat Bulletin, Government, Telecommunications, Asia, CurKeep, StayinAlive, ToddyCat, CurCore, CurLog, CurLu, StylerServ

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts