TOITOIN Trojan: A New Multi-Stage Attack Targeting LATAM

This report provides a detailed technical analysis of the multi-stage TOITOIN infection chain: a downloader that creates persistence via LNK and scheduled restart, sideloading of a malicious Krita Loader DLL (ffmpeg.dll) into a signed ZOHO binary, chained loader/injector DLLs that decode embedded payloads from JPG files, a UAC bypass leveraging COM Elevation Moniker to gain elevated execution, and a final TOITOIN backdoor that decodes an INI configuration, discovers installed browsers and system attributes, and contacts multiple C2 URLs; the report contains IOCs (C2 URLs, PDB paths, filenames, mutex names) and decryption logic to support detection and mitigation.