Tofsee

Category: spam_bot · Aliases: gheg · Sample count (EMBER 2018): 264 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

Tofsee (also known as Gheg) is a multi-purpose Trojan and botnet that is primarily used as an email-oriented tool, targeting victims' email accounts and sending spam. According to analyses such as PCrisk, Tofsee is modular and capable of a wide range of malicious activity, including launching distributed denial-of-service (DDoS) attacks, mining cryptocurrency, sending emails, stealing various account credentials, and updating itself. Because it is modular, an infected machine can be repurposed for several of these tasks. Tofsee is documented by Fraunhofer FKIE's Malpedia.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1071.001 T1547.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_TOFSEE {
    meta:
        description = "Detects Tofsee (spam_bot)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "tofsee" ascii wide nocase
        $s2 = "gheg" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Tofsee Activity
id: 7c2de38d5a6c239bbca0c84e989689a7
status: experimental
description: Detects generic indicators of the tofsee malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*tofsee*"
            - "*gheg*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Tofsee?

Tofsee, also known as Gheg, is a modular Trojan and botnet most commonly used as an email-oriented tool. It targets users' email accounts and is widely associated with sending spam.

What is Tofsee capable of?

Tofsee is modular and can perform a range of malicious actions, including launching DDoS attacks, mining cryptocurrency, sending emails and spam, stealing account credentials, and updating itself with new functionality.

What is the main purpose of Tofsee?

Although it has many capabilities, Tofsee is mainly used as an email-oriented tool that targets victims' email accounts. Having Tofsee installed can, however, lead to additional problems because of its other modules.

What sources document Tofsee?

Tofsee (Gheg) is profiled in Fraunhofer FKIE's Malpedia, and its capabilities have been described in vendor analyses such as those referenced by PCrisk.

Related Families (Category: spam_bot)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/tofsee.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.