[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAtNnBrvry0EMWj_yy-bvcKuk_TO0W2d_UOyGiSF9CZY":3},{"article":4,"iocs":59},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"cd56f5a9-8b0e-48f6-90c6-2efb2eb835d8","ToddyCat: your hidden email assistant. Part 2","toddycat-your-hidden-email-assistant-part-2-d6bdd2","An in-depth analysis of Umbrij, a new tool used by the ToddyCat APT group to compromise corporate email communications in Gmail. The attack targeted OAuth authorization tokens, allowing threat actors to gain access to Google services.","The ToddyCat APT group has developed a new tool called Umbrij to compromise corporate Gmail accounts. Umbrij exploits the OAuth 2.0 protocol by connecting to a browser's remote debugging port to steal authorization codes, which are then exchanged for access tokens. This allows the attackers to access Google services and corporate email communications, bypassing security solutions.","ToddyCat APT uses new 'Umbrij' tool to steal Gmail OAuth tokens via browser debugging.","Table of Contents IntroductionUmbrijExecutionEnvironment preparationAcquiring the authorization codeResultsDetectionDLL sideloadingBrowser launchRevoking third-party accessRisk mitigationTakeawaysIndicators of compromise Authors Andrey Gunkin Introduction We continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, we examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods we described previously are effectively detected by EPP and EDR solutions. The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems. In this part of the report, we break down the mechanics of this new attack and analyze the tool that was used to automate it. We’ll also discuss how to detect and defend against this threat. Umbrij In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs. Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources. To acquire this token, the threat actors developed a tool called Umbrij and used it to connect to the browser’s management console in headless mode via a remote debugging port. Through a series of requests, they obtained an OAuth authorization code, which they subsequently exchanged for an access token to reach the target resources via the API. We have dubbed this technique Shadow Token via Remote Debug (STRD). This attack is viable on Chromium-based browsers. If the user has not logged out of their Gmail account, the browser maintains an active session. The attackers exploit this: they launch the browser, connect via the remote debugging port to take control, and send a request to the Gmail service to grant access to the Google account resources within the context of the user’s saved session. During our investigation of this attack, we discovered several versions of the Umbrij tool. These versions included a variety of helper functions designed for debugging, as well as for searching and selecting user accounts within the browser, among other tasks. Kaspersky solutions detect this tool with the following verdicts: HEUR:Trojan-PSW.MSIL.Umbrij.gen, HEUR:Trojan.MSIL.Agent.gen, HEUR:Trojan-PSW.MSIL.Agent.gen. Execution The Umbrij tool was discovered during a proactive threat hunting operation: a scheduled task, KasperskyEndpointSecurityEDRAvp, was running on a user host, launching a digitally signed file. Kaspersky solutions do not create scheduled tasks with that name; the attackers were attempting to masquerade their malicious activity as a legitimate process. The signed file then used the DLL sideloading technique to load the malicious tool. Umbrij execution events within Kaspersky Managed Detection and Response Throughout our observation period, we identified the following legitimate files vulnerable to the DLL sideloading technique that were used to launch Umbrij: BDSubWiz.exe: a component of the Submission Wizard in Bitdefender ConnectAgent, which is used to support connection features and interaction with other Bitdefender services or agents. This file insecurely loads a file named log.dll. VSTestVideoRecorder.exe: a component of the video-recording tool used for testing with Visual Studio (VS Test). This executable insecurely loads a file named Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll. GoogleDesktop.exe: the discontinued Google Desktop Search application for indexing files and performing quick searches on a local Windows computer. This executable insecurely loads a file named GoogleServices.dll. These files were used to load different versions of Umbrij; the same legitimate file could be leveraged to launch more than one variant. In total, we discovered three versions of Umbrij, which we refer to as a, b, and c for convenience. The tool itself is a DLL written in .NET and obfuscated with ConfuserEx, an open-source obfuscator for .NET applications. Example of an obfuscated code snippet Umbrij is managed with the help of parameters passed through a command line at startup, although it is occasionally executed without any parameters. Below are examples of the command lines observed in attacks against users: \"c:\\Users\\Public\\BDSubWiz.exe\" -regex \u003Cname> -deepsearch c:\\windows\\vss\\bds.exe 12 \"c:\\Users\\Public\\BDSubWiz.exe\" -regex \u003Cname> -deepsearchc:\\windows\\vss\\bds.exe However, these are not the only parameters the tool can accept and process. During the analysis of its executable code, we discovered additional parameters that vary depending on the version of Umbrij. See the table below for the parameters and their descriptions. Version Command Description a -regex \u003Cstring> Used in conjunction with the -deepsearch parameter. Specifies a substring to search for within the user_name field of the user profile file, which typically contains the email address. The tool will utilize the user profile that matches this specified substring a -user \u003Cusername> Specifies the system username under which the tool will run a -runas-currentuser Configures Umbrij to run within the execution context of the current user a -deepsearch Enforces additional checks on the user_name field in the user profile: verifying that it is not empty and that it contains the substring specified in the -regex parameter a, b, c -path \u003Cpath> Specifies the full path to the directory containing the browser’s executable file a, b, c -browser \u003Cboth|msedge|chrome> Specifies which browser the tool should target: Google Chrome, Microsoft Edge, or both a, b, c -debugport \u003Cport> Specifies the remote debugging port number a, b, c -sync When this parameter is specified in the URL, the value 1095133494869 replaces 279448736670 in the permission request b -domainAd Specifies the domain name if the user account is a domain account b -savepdf Instructs Umbrij to save a screenshot of the user profile as a PDF file c -lport Same as debugport Environment preparation At startup, the tool evaluates several prerequisites required to carry out the attack and performs preparatory actions to subsequently compromise the Gmail account. First, Umbrij verifies the availability of the port that will be designated for browser debugging. To accomplish this, the tool utilizes a function named ChekPortAvailable() (original spelling retained), which accepts the target port number as a parameter. It then retrieves information about active connections on the host using the .NET GetActiveTcpConnections() function from the System.Net.NetworkInformation namespace. The tool iterates through each connection in a loop, comparing the port number to the one it is checking. The ChekPortAvailable function used to verify open ports After this, the tool retrieves the user context. It searches the system for the explorer.exe process and duplicates its token, retaining all of its privileges (T1134.003 Access Token Manipulation: Make and Impersonate Token). This is the exact same mechanism used by another tool in the group’s arsenal, TomBerBil, which we covered previously. The ImpersonateWithProcess function used to retrieve user context By default, Umbrij duplicates the token of the first explorer.exe process it encounters. If multiple users are logged in to the system, the -user \u003Cusername> switch can be used to specify the name of the target user whose token to duplicate. If the -runas-currentuser switch is specified, the tool will execute within the context of the current user without duplicating any tokens.","https:\u002F\u002Fsecurelist.com\u002Ftoddycat-apt-umbrij-tool-and-oauth\u002F120251\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F06\u002F19083452\u002Ftoddycat-part-2-featured-image-scaled.jpg","2026-06-30T10:00:13+00:00","2026-06-30T12:00:22.301678+00:00",8,[18,21,24,27,29,31],{"name":19,"type":20},"ToddyCat APT","threat_actor",{"name":22,"type":23},"Gmail","product",{"name":25,"type":26},"OAuth 2.0","technology",{"name":28,"type":23},"Google API",{"name":30,"type":23},"Umbrij",{"name":32,"type":26},"DLL sideloading","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":33,"icon":35,"name":36,"slug":37},null,"Threat Intelligence","threat-intelligence",[39,44,49,54],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":55},{"id":56,"icon":35,"name":57,"slug":58},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",[60,62,65,67,69,73,76,79],{"type":53,"value":30,"context":61},"New tool developed by ToddyCat APT for stealing OAuth tokens.",{"type":53,"value":63,"context":64},"HEUR:Trojan-PSW.MSIL.Umbrij.gen","Kaspersky detection verdict for Umbrij.",{"type":53,"value":66,"context":64},"HEUR:Trojan.MSIL.Agent.gen",{"type":53,"value":68,"context":64},"HEUR:Trojan-PSW.MSIL.Agent.gen",{"type":70,"value":71,"context":72},"mitre_attack","T1059.001","Masquerading as a legitimate process via scheduled task.",{"type":70,"value":74,"context":75},"T1574.002","DLL sideloading technique used to load Umbrij.",{"type":70,"value":77,"context":78},"T1539","Stealing OAuth authorization tokens.",{"type":70,"value":80,"context":81},"T1071.001","Accessing Google services via API."]