ToddyCat: your hidden email assistant. Part 2
ID: 39cf12cc-02a0-5d18-bd6c-f5f387476c8a
STIX ID: report--39cf12cc-02a0-5d18-bd6c-f5f387476c8a
Feed Name: Securelist by Kaspersky
ToddyCat APT deployed a .NET tool called Umbrij that automates stealing OAuth authorization codes from signed-in Gmail sessions by copying browser profile data, launching Chromium-based browsers in headless mode via a remote debugging port, and automating account consent; execution is achieved through DLL sideloading of legitimate binaries. The report includes technical analysis, multiple Umbrij variants, IOCs (file hashes and paths), and detection/mitigation recommendations such as monitoring for suspicious DLL loads, browser debug launch arguments, and revoking unused third-party Google app access.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
