ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API
ID: 25d53dbd-ff48-5ce5-a68d-a126504b9fc5
STIX ID: report--25d53dbd-ff48-5ce5-a68d-a126504b9fc5
Feed Name: The Hacker News
Kaspersky attributes a newly observed malware named Umbrij to the ToddyCat APT; Umbrij uses DLL sideloading and a sequence of profile-copy, headless Chromium launch, and remote-debugging (Puppeteer) interactions to extract OAuth authorization codes from active Gmail sessions and exchange them for access tokens, enabling API-based exfiltration of corporate email and related resources. The report includes technical details, abused binaries, attack workflow, and mitigation advice to revoke suspicious Google Workspace migration/sync app authorizations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
