Tofsee (also known as Gheg) is a multi-purpose Trojan and botnet that is primarily used as an email-oriented tool, targeting victims' email accounts and sending spam. According to analyses such as PCrisk, Tofsee is modular and capable of a wide range of malicious activity, including launching distributed denial-of-service (DDoS) attacks, mining cryptocurrency, sending emails, stealing various account credentials, and updating itself. Because it is modular, an infected machine can be repurposed for several of these tasks. Tofsee is documented by Fraunhofer FKIE's Malpedia.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1071.001 T1547.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_TOFSEE {
meta:
description = "Detects Tofsee (spam_bot)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "tofsee" ascii wide nocase
$s2 = "gheg" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Tofsee Activity
id: 7c2de38d5a6c239bbca0c84e989689a7
status: experimental
description: Detects generic indicators of the tofsee malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*tofsee*"
- "*gheg*"
condition: selection
level: mediumTofsee, also known as Gheg, is a modular Trojan and botnet most commonly used as an email-oriented tool. It targets users' email accounts and is widely associated with sending spam.
Tofsee is modular and can perform a range of malicious actions, including launching DDoS attacks, mining cryptocurrency, sending emails and spam, stealing account credentials, and updating itself with new functionality.
Although it has many capabilities, Tofsee is mainly used as an email-oriented tool that targets victims' email accounts. Having Tofsee installed can, however, lead to additional problems because of its other modules.
Tofsee (Gheg) is profiled in Fraunhofer FKIE's Malpedia, and its capabilities have been described in vendor analyses such as those referenced by PCrisk.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/tofsee.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.