ToddyCat Uses Shadow Token via Remote Debug to Compromise Gmail Accounts
ID: bfa5de51-0c5e-5cbe-9523-cb17bcde1e8d
STIX ID: report--bfa5de51-0c5e-5cbe-9523-cb17bcde1e8d
Feed Name: GBHackers
ToddyCat (an APT) uses a .NET backdoor named Umbrij deployed via DLL sideloading to copy victims' Chromium browser profiles, run a headless browser with remote debugging, and automate OAuth consent flows (STRD) to harvest authorization codes and exchange them for Google Workspace API tokens—enabling stealthy access to Gmail, Drive, contacts, calendars and Directory data. The report details multiple Umbrij variants, command-line options, detection cues (sideloading, --remote-debugging-port, --user-data-dir usage), and recommended mitigations including EDR telemetry, profile protection, and revoking unused third-party Google app permissions.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
