ToddyCat Deploys Umbrij to Steal Gmail Access via OAuth Hijacking
Kaspersky uncovers Umbrij, a .NET tool used by APT group ToddyCat to steal Gmail OAuth tokens through browser remote debugging—no credentials needed.
Kaspersky researchers have attributed a previously undocumented malware tool called Umbrij to the ToddyCat APT group. The .NET-based malware steals Gmail access by hijacking OAuth tokens through a technique researchers dubbed "Shadow Token via Remote Debug"—and it doesn't need the victim's password to work.
ToddyCat has operated since at least 2020, historically targeting government and diplomatic organizations across Europe and Asia. This latest tool demonstrates the group's focus on email compromise as an intelligence-gathering technique, specifically targeting corporate Gmail accounts where organizations have migrated their communications to Google Workspace.
How Umbrij Steals Gmail Access
The attack begins after ToddyCat has already established a foothold on a victim's machine, typically through spear-phishing or other initial access techniques. Umbrij then executes a sophisticated attack chain:
- The malware copies the victim's browser profile data, including cookies, cached credentials, and authentication tokens
- It launches Chrome or Edge in headless mode with remote debugging enabled
- Using the DevTools protocol, Umbrij takes control of the authenticated browser session
- The tool submits OAuth permission requests using the victim's active Google login
The key insight is that browsers already hold authenticated sessions to Google services. Rather than stealing passwords, Umbrij exploits these existing sessions to generate OAuth authorization codes. It then exchanges these codes for access tokens that provide persistent access to the victim's Gmail, Google Drive, Calendar, and other Google services.
Technical Implementation
Umbrij connects to browsers via the Puppeteer Sharp library and uses client IDs belonging to legitimate Google applications—specifically Google Workspace Migration for Outlook (GWMMO) and Google Workspace Sync for Outlook (GWSMO). These are real Google applications, making the token requests appear legitimate.
The tool intentionally omits proper redirect URIs in its OAuth requests. It doesn't need them—the sole objective is capturing the authorization code parameter from Google's response. Three versions of Umbrij have been identified, each with varying capabilities for debugging, account selection, and browser targeting.
Kaspersky discovered the malware during threat hunting when they found a scheduled task named "KasperskyEndpointSecurityEDRAvp"—spoofing their own product name—that launched a digitally signed executable. That executable then used DLL side-loading to deploy Umbrij, a technique that helps evade security tools by hiding malicious code behind legitimate binaries.
Detection and Response
Organizations can detect Umbrij activity through several indicators:
Browser Launch Anomalies: Chromium-based browsers launching with --remote-debugging-port combined with --headless flags represent unusual activity on standard workstations. This combination appears almost exclusively in developer environments or malicious contexts.
DLL Side-Loading Patterns: The malware abuses legitimate executables from Bitdefender, Visual Studio, and Google Desktop. Monitor for these applications loading DLLs from unexpected locations like C:\Windows\Vss\, C:\Windows\Temp\, or C:\Users\Public\.
Unauthorized OAuth Grants: Users should check https://myaccount.google.com/connections for unexpected GWMMO or GWSMO access grants. Security teams can audit these programmatically across the organization.
Known File Hashes (MD5):
- Version a: 1AB58838E5790EFB22F2D35AB98C0B7D
- Version b: 22AAEB4946BA6D2F2E27FEB7DBB295DE
- Version c: F169D6D172DFB775895A5E2B1540C854
Mitigation Strategies
The Kaspersky report recommends several defensive measures:
- Disable Developer Tools in Chrome via Group Policy - Set
DeveloperToolsAvailabilityto0x00000002to prevent remote debugging - Audit Third-Party App Access - Regularly review which applications have OAuth access to organizational Google accounts
- Monitor Scheduled Tasks - Watch for tasks impersonating security software, a common persistence technique
- Implement Browser Logging - Capture browser process command-line arguments to detect debugging-port abuse
For organizations already using Google Workspace, this attack underscores the importance of treating OAuth grants as critically as passwords. An attacker with a valid OAuth token can access email indefinitely without triggering password-based alerts, and these tokens often persist even after password changes.
Connection to Broader ToddyCat Operations
This campaign fits ToddyCat's established pattern of targeting email systems for intelligence collection. The group has previously deployed various tools for similar purposes, and nation-state actors increasingly prioritize email access as a primary intelligence-gathering vector.
The use of Google API exploitation also parallels techniques observed in other credential theft campaigns where attackers prioritize legitimate access mechanisms over traditional malware persistence. By obtaining valid OAuth tokens, attackers gain access that's difficult to distinguish from legitimate user activity.
Organizations relying on Google Workspace for business communications should treat this disclosure as a reminder to audit their OAuth grant policies and monitor for the specific indicators Kaspersky has published.
Related Articles
PamStealer Validates Your Mac Password Before Stealing It
Jamf Threat Labs uncovers a macOS infostealer that impersonates the Maccy clipboard manager, validates credentials through PAM, then harvests browser data, crypto wallets, and iCloud Keychain.
Jul 3, 2026npm Typosquat Packages Drop PowerShell RAT Targeting Chrome Creds
Three malicious packages impersonating PostCSS tools deploy a multi-stage Windows RAT. The payload steals saved passwords by bypassing Chrome's app-bound encryption.
Jun 24, 2026OnyxC2 Infostealer Targets 210 Apps, Offers Refunds If Detected
BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.
Jun 12, 2026Storm Infostealer Decrypts Stolen Credentials Server-Side to Evade Detection
New MaaS stealer ships encrypted browser data to attacker infrastructure for decryption, bypassing endpoint detection. Session hijacking with geo-matched proxies defeats MFA.
Jun 4, 2026