logo

ToddyCat: your hidden email assistant. Part 2

ID: 39cf12cc-02a0-5d18-bd6c-f5f387476c8a

STIX ID: report--39cf12cc-02a0-5d18-bd6c-f5f387476c8a

Feed Name: Securelist by Kaspersky

Threat Score
85/100

Date Published: 2026-06-30

Date Updated: 2026-07-02

Author: Andrey Gunkin

...
...

ToddyCat APT deployed a .NET tool called Umbrij that automates stealing OAuth authorization codes from signed-in Gmail sessions by copying browser profile data, launching Chromium-based browsers in headless mode via a remote debugging port, and automating account consent; execution is achieved through DLL sideloading of legitimate binaries. The report includes technical analysis, multiple Umbrij variants, IOCs (file hashes and paths), and detection/mitigation recommendations such as monitoring for suspicious DLL loads, browser debug launch arguments, and revoking unused third-party Google app access.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.