Close Menu
    What's Hot

    3 Nuclear Startups Hit a Big Milestone. Why It Matters—and Why It Doesn’t

    Here’s how you can save 50¢ per gallon on gas this July 4 weekend

    Once the Centerpiece of Celebration, a Faded Declaration Recedes

    Facebook X (Twitter) Instagram
    Trending
    • 3 Nuclear Startups Hit a Big Milestone. Why It Matters—and Why It Doesn’t
    • Here’s how you can save 50¢ per gallon on gas this July 4 weekend
    • Once the Centerpiece of Celebration, a Faded Declaration Recedes
    • Egypt team staffer in altercation with Dallas police – Live Updates
    • A U.S. Independence Celebration Damaged a Museum in Belgium
    • Chevy built an all-American EV truck — why is nobody buying it?
    • Wealth managers use ‘deliberate obfuscation’ over fees, industry chief warns
    • Bristow Group: Flying Into My Portfolio As I Open A Position (NYSE:VTOL)
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

    adminBy adminJuly 2, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananJul 02, 2026API Security / Cyberespionage

    ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

    The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that’s designed to gain surreptitious access to a victim’s email correspondence via the Google API.

    “In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs,” Kaspersky said in a detailed report published this week. “Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources.”

    The adversary is said to have developed Umbrij to acquire this token and use it to connect to the browser’s management console in headless mode via a remote debugging port.

    Subsequently, a series of requests was issued to obtain an OAuth authorization code, which was then exchanged for an access token to reach the target resources via the API. The technique has been codenamed Shadow Token via Remote Debug (STRD) by the Russian cybersecurity vendor.

    What’s notable about the attack is that it’s viable on Chromium-based browsers and exploits an active Gmail session. In other words, the idea is to launch the browser in headless mode, connect via the remote debugging port to seize control, and leverage an already logged-in Gmail session to obtain access to the Google account resources.

    Three different versions of Umbrij have been uncovered, including versions that feature helper functions for debugging and for searching and selecting user accounts within the browser.

    Cybersecurity

    ToddyCat is the name assigned to an advanced persistent threat (APT) that has a history of targeting various organizations in Europe and Asia since at least 2020. In November 2025, Kaspersky detailed the hacking group’s use of a custom tool dubbed TCSectorCopy to lay their hands on Microsoft Outlook email data belonging to targeted companies.

    The cybersecurity company said it discovered Umbrij during what it described as a “threat hunting operation,” as part of which a scheduled task impersonating its software (“KasperskyEndpointSecurityEDRAvp”) was used to launch a digitally signed file. The signed file then employed DLL side-loading to launch Umbrij.

    To accomplish this task, three legitimate binaries susceptible to DLL side-loading were abused –

    • BDSubWiz.exe, a component of the Submission Wizard in Bitdefender ConnectAgent
    • VSTestVideoRecorder.exe, a component of the video-recording tool used for testing with Microsoft Visual Studio
    • GoogleDesktop.exe, a discontinued Google Desktop Search application used for indexing files and performing quick searches on a local Windows computer

    Regardless of the executable used, the end result is the same: launching the rogue Umbrij DLL written in .NET and obfuscated with ConfuserEx, an open-source obfuscator. The tool can also be invoked along with command-line parameters that specify which browsers to target (Google Chrome or Microsoft Edge), instruct it to save a screenshot of the user profile as a PDF file, and provide the system username under which the tool will run.

    Umbrij workflow diagram

    Umbrij, once launched, performs a series of preparatory actions on a compromised Windows host to breach the Gmail account –

    • Verify the availability of the port that will be designated for browser debugging.
    • Retrieve the user context by searching for the “explorer.exe” process and duplicating the token of the first such process it encounters in order to retain all of that logged-in user’s privileges. Alternatively, the -user switch can be used alongside the tool to specify the target user whose token needs to be duplicated.
    • Construct the path to the web browser application folder within the user’s local application data repository and then parse the Local State file corresponding to Chrome or Edge to gather information about stored browser user profiles.
    • Enumerate all profiles and scan them for a field named “user_name” that includes an email address. It’s worth noting that the presence of an email address signals that the user is authenticated to a Google service.
    • Create a directory called “BackupFiles” within “%LOCALAPPDATA%\Google\Chrome\” and “%LOCALAPPDATA%\Microsoft\Edge\.”
    • Copy the following files and folders of each target user profile into them: IndexedDB, Local Storage, Network, Login Data, Login Data For Account, Preferences, Secure Preferences, and Web Data. Should these files be locked by other processes, the tool includes a force-copy mechanism.
    • Search the “Program Files” and “Program Files (x86)” folders for the browser installation folder for Chrome and Edge.
    • Launch the browsers in headless mode by using the user profile copied to the “BackupFiles” folder, causing the browser to apply all active user cookies, including the signed-in Google account, and skip authentication.
    • Use Puppeteer, a JavaScript library used for controlling Chromium-based browsers via the Chrome DevTools Protocol, to connect to the remote debugging port and send an authorization code request to direct the browser to a “accounts.google[.]com/o/oauth2/v2/auth/identifier” URL containing a “client_id” that corresponds to a migration tool used for importing local PST files and data from Microsoft Exchange accounts into a Google Workspace account. The HTTP GET request also specifies the set of permissions required by the application.
    • Use JavaScript to emulate mouse click events to select the appropriate Google account after navigating to the URL and grant it the necessary permissions, including full access to Gmail, Drive, Contacts, Calendar, and Tasks.
    • Redirect the browser session to a local address specified in the initial request and extract the OAuth authorization code from it.
    Cybersecurity

    “Umbrij, like most other tools in ToddyCat’s arsenal, logs its actions in detail and saves them to a file,” Kaspersky said. “It also saves the retrieved authorization code to this log file, which the operator subsequently exfiltrates from the compromised host.” 

    “The acquired authorization code is then exchanged for an OAuth access token. The threat actors use that token to connect to the Gmail account through the API, thus compromising corporate email communications.”

    To counter the threat, it’s advised to review the authorization codes granted to applications by navigating to “myaccount.google[.]com/connections” and then looking for applications named “Google Workspace Migration for Microsoft Outlook” or “Google Workspace Sync for Microsoft Outlook.” If either of those applications is present and is not actually used within the organization, it’s essential to revoke their access to invalidate the OAuth tokens.

    “The ToddyCat APT group continues to search for ways of compromising corporate email communications,” Andrey Gunkin, senior malware analyst at Kaspersky, said. “Their new tool, Umbrij, automates the attackers’ attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks but also demonstrates ToddyCat’s strong motivation and advanced technical skills.”

    Abuses access API Gmail Google Malware OAuth ToddyCatLinked Umbrij
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleWho is Iranian oil tycoon Shamkhani whose ship is stranded in Hormuz? | Conflict News
    Next Article Rangers transfer news: Derek McInnes talks new signings, possible departures, Lewis Ferguson links and more! | Football News
    admin
    • Website

    Related Posts

    North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

    July 3, 2026

    Google DeepMind Unionization Talks Are Off to a Rocky Start

    July 3, 2026

    Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    3 Nuclear Startups Hit a Big Milestone. Why It Matters—and Why It Doesn’t

    Here’s how you can save 50¢ per gallon on gas this July 4 weekend

    Once the Centerpiece of Celebration, a Faded Declaration Recedes

    Egypt team staffer in altercation with Dallas police – Live Updates

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by