Posted in

ToddyCat Deploys Umbrij Malware to Hijack Gmail Accounts via Google OAuth API

The advanced persistent threat (APT) group ToddyCat has been linked to a newly discovered malware called Umbrij, a sophisticated tool designed to secretly compromise Gmail accounts by abusing Google’s OAuth authorization process.

According to a recent report from Kaspersky, the malware targets corporate Gmail users by exploiting active browser sessions and leveraging the Google API to obtain unauthorized access to email communications without requiring account passwords.

Researchers have named this attack technique Shadow Token via Remote Debug (STRD) because it combines browser remote debugging with OAuth token theft to silently hijack authenticated Google accounts.

How Umbrij Compromises Gmail Accounts

Unlike traditional credential-stealing malware, Umbrij doesn’t attempt to capture passwords directly.

Instead, it takes advantage of an already authenticated Gmail session running in a Chromium-based browser such as Google Chrome or Microsoft Edge.

The malware launches the browser in headless mode, connects through the browser’s remote debugging interface, and requests OAuth authorization on behalf of the victim. Once the authorization process is completed, the malware captures the OAuth authorization code and exchanges it for an access token, allowing attackers to interact with Gmail through Google’s official APIs.

Because the attack relies on a valid logged-in session, users may never notice that their email account has been compromised.

Shadow Token via Remote Debug (STRD)

Kaspersky refers to the attack technique as Shadow Token via Remote Debug (STRD).

The process involves:

  • Launching Chrome or Edge in headless mode
  • Connecting through the browser’s remote debugging port
  • Using the victim’s active Google session
  • Requesting OAuth authorization
  • Capturing the authorization code
  • Exchanging the code for an OAuth access token
  • Accessing Gmail and other Google Workspace services through official APIs

This approach enables attackers to bypass traditional password theft while maintaining covert access to sensitive corporate communications.

Multiple Versions of Umbrij Discovered

Researchers identified three separate variants of Umbrij.

Some versions include additional debugging features, while others can automatically locate authenticated browser profiles, making the malware more adaptable across different victim environments.

ToddyCat’s Ongoing Espionage Campaign

ToddyCat has been active since at least 2020, targeting organizations across Europe and Asia with sophisticated cyber-espionage campaigns.

The group has previously deployed custom malware for stealing Microsoft Outlook email data. In late 2025, researchers documented ToddyCat’s use of a tool known as TCSectorCopy, which extracted Outlook mailbox data from compromised corporate systems.

The discovery of Umbrij demonstrates the group’s continued focus on gaining access to enterprise email communications.

Malware Delivered Through DLL Side-Loading

Kaspersky uncovered Umbrij during a threat-hunting investigation after identifying a scheduled task disguised as KasperskyEndpointSecurityEDRAvp.

The malware was launched through DLL side-loading, a technique that abuses trusted applications to execute malicious code while evading security controls.

Researchers observed Umbrij being loaded through several legitimate executables vulnerable to DLL side-loading, including:

  • BDSubWiz.exe (Bitdefender Submission Wizard)
  • VSTestVideoRecorder.exe (Microsoft Visual Studio testing component)
  • GoogleDesktop.exe (Legacy Google Desktop Search application)

Regardless of which executable is used, the result is the same: a malicious .NET DLL protected with ConfuserEx is loaded into memory.

How Umbrij Operates

After execution, Umbrij performs several steps to prepare for Gmail account compromise.

The malware:

  • Verifies that a browser debugging port is available
  • Duplicates the logged-in user’s security token by leveraging the Explorer process
  • Identifies installed Chrome or Microsoft Edge browser profiles
  • Searches for authenticated Google accounts within browser configuration files
  • Creates backup copies of browser profile data
  • Copies cookies, login databases, local storage, IndexedDB files, browser preferences, and other authentication data
  • Launches a cloned browser profile in headless mode
  • Connects to the browser using Puppeteer, Google’s browser automation framework
  • Requests OAuth authorization for a Google Workspace migration application
  • Automatically selects the authenticated Google account
  • Grants requested permissions using simulated mouse clicks
  • Captures the OAuth authorization code for later use

The malware logs every step of the process and stores the authorization code locally before attackers retrieve it from the compromised system.

Extensive Access to Google Workspace

Once attackers exchange the authorization code for an OAuth access token, they gain broad access to multiple Google Workspace services.

Depending on the permissions granted, attackers may access:

  • Gmail
  • Google Drive
  • Google Contacts
  • Google Calendar
  • Google Tasks

Because authentication occurs through Google’s legitimate API infrastructure, malicious activity can blend into normal cloud service traffic.

How Organizations Can Protect Themselves

Security teams should regularly audit OAuth permissions granted to third-party applications.

Administrators are advised to review connected applications within their Google Account settings and look for unexpected applications such as:

  • Google Workspace Migration for Microsoft Outlook
  • Google Workspace Sync for Microsoft Outlook

If these applications are not actively used within the organization, their access should be revoked immediately to invalidate associated OAuth tokens.

Organizations should also:

  • Monitor browser remote debugging activity
  • Restrict unnecessary OAuth application permissions
  • Detect DLL side-loading attempts
  • Monitor for unusual Google API usage
  • Deploy endpoint detection capable of identifying browser automation abuse

Final Thoughts

The discovery of Umbrij highlights the growing sophistication of modern cyber-espionage operations. Rather than stealing passwords, ToddyCat abuses trusted browser features and Google’s OAuth framework to silently compromise enterprise Gmail accounts.

As organizations increasingly rely on cloud-based productivity platforms, monitoring OAuth permissions, browser activity, and API usage has become just as important as protecting user credentials. Defending against these advanced techniques requires a layered security strategy that includes endpoint monitoring, cloud security visibility, and continuous auditing of third-party application access.

Leave a Reply

Your email address will not be published. Required fields are marked *