{ "family": "tofsee", "sample_count": 264, "category": "spam_bot", "description": "Tofsee, also known as Gheg, is a long-running spambot that infects machines to send pharmaceutical, dating, and cryptocurrency spam. Active since 2008, Tofsee continues to be observed and is notable for its use of peer-to-peer protocols and resilience to takedowns.", "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.", "aliases": [ "gheg" ], "enrichment_level": "hand-curated", "faq": [ { "@type": "Question", "name": "What is Tofsee?", "acceptedAnswer": { "@type": "Answer", "text": "Tofsee, also known as Gheg, is a long-running spambot that infects machines to send pharmaceutical, dating, and cryptocurrency spam. Active since 2008, Tofsee continues to be observed and is notable for its use of peer-to-peer protocols and resilience to takedowns." } }, { "@type": "Question", "name": "How does Tofsee spread?", "acceptedAnswer": { "@type": "Answer", "text": "Tofsee is a multi-purpose botnet spreading through other malware droppers, Skype messages, and exploit kits." } }, { "@type": "Question", "name": "What are the signs of a Tofsee infection?", "acceptedAnswer": { "@type": "Answer", "text": "Outbound spam traffic, click-fraud HTTP requests, and DDoS traffic from the infected host along with AV detections for Tofsee or Gheg are common." } }, { "@type": "Question", "name": "What should I do if I think I have Tofsee on my system?", "acceptedAnswer": { "@type": "Answer", "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance." } } ], "faq_count": 4, "mitre_attack": [ "T1071.001", "T1547.001" ], "cisa_advisory": null, "last_updated": "2026-05-27" }