ToddyCat-Linked Umbrij Malware Uses OAuth Flows to Reach Gmail Data via Google API
A malware family tied to the ToddyCat cyberespionage group has been seen using a new technique to quietly reach Gmail content through Google’s API, according to Kaspersky. The tool, called Umbrij, is...
A malware family tied to the ToddyCat cyberespionage group has been seen using a new technique to quietly reach Gmail content through Google’s API, according to Kaspersky. The tool, called Umbrij, is built to steal OAuth authorization data from active browser sessions and turn it into access to corporate email accounts.
Researchers say the campaign targets Gmail-hosted business communications by taking advantage of the OAuth 2.0 authorization process. Rather than trying to steal passwords directly, the malware launches Chromium-based browsers in headless mode, connects through a remote debugging port, and abuses an already signed-in Google session to request permission and obtain an authorization code. That code is then exchanged for an access token that can be used against Google’s API.
Kaspersky describes the method as a form of “Shadow Token via Remote Debug” and notes that it works against browsers such as Google Chrome and Microsoft Edge. The malware has been observed in several versions, including builds that can inspect browser data, identify active user profiles, and determine whether a Google account is already authenticated.
Delivery and execution
According to the report, Umbrij was uncovered during a threat-hunting effort. It was launched through a scheduled task that masqueraded as a legitimate Kaspersky component and then used DLL sideloading to start the malicious payload. The attackers abused legitimate executables vulnerable to sideloading, including software associated with Bitdefender, Microsoft Visual Studio testing tools, and the older Google Desktop Search application.
Once active, the malware collects browser profile data, copies key files into backup folders, and prepares the environment so the browser can be opened with the victim’s existing cookies and session state intact. It then uses automation tools to interact with Google’s authorization pages and capture the resulting OAuth code for later exfiltration.
Why it matters
Kaspersky says the approach lets ToddyCat access Gmail without triggering the same alerts that might follow a password theft attempt. The company recommends checking connected applications in Google account settings and revoking any unfamiliar entries, especially those labeled as Google Workspace migration or sync tools if they are not in use.
The findings suggest ToddyCat continues to refine its methods for reaching sensitive corporate email and expanding the scale of its operations through automation.
