logo

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

ID: 25d53dbd-ff48-5ce5-a68d-a126504b9fc5

STIX ID: report--25d53dbd-ff48-5ce5-a68d-a126504b9fc5

Feed Name: The Hacker News

Threat Score
80/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: [email protected] (The Hacker News)

...
...

Kaspersky attributes a newly observed malware named Umbrij to the ToddyCat APT; Umbrij uses DLL sideloading and a sequence of profile-copy, headless Chromium launch, and remote-debugging (Puppeteer) interactions to extract OAuth authorization codes from active Gmail sessions and exchange them for access tokens, enabling API-based exfiltration of corporate email and related resources. The report includes technical details, abused binaries, attack workflow, and mitigation advice to revoke suspicious Google Workspace migration/sync app authorizations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.