Advanced Persistent Threat

ToddyCat apt deploys umbrij malware to hijack gmail via oauth token theft

ToddyCat's latest tool, Umbrij, automates theft of OAuth tokens from active Gmail sessions by launching Chromium browsers in headless mode and controlling them via remote debugging ports. The malware can extract authorization codes granting full access to Gmail, Drive, Contacts, Calendar, and Tasks.

Emmanuel Fabrice Omgbwa Yasse

2026-07-02 · 4 min read

ToddyCat apt deploys umbrij malware to hijack gmail via oauth token theft

Kaspersky has published a detailed report identifying a new malware strain called Umbrij, which they attribute to the advanced persistent threat group ToddyCat. Umbrij is designed to steal OAuth authorization codes from active Google sessions by exploiting Chromium-based browsers' remote debugging capabilities. The technique, codenamed Shadow Token via Remote Debug (STRD), enables the adversary to access corporate email communications hosted on Gmail without needing user credentials.

According to Kaspersky, the attackers developed Umbrij to acquire OAuth tokens and use them to connect to a browser's management console in headless mode via a remote debugging port. The malware then issues a series of requests to obtain an OAuth authorization code, which is exchanged for an access token that provides API-level access to target resources. What makes this attack particularly effective is that it does not require the victim to click on any malicious links or download suspicious attachments, it simply exploits an existing, active Gmail session on a compromised host.

Attack workflow and technical details

Umbrij is a .NET-based DLL obfuscated with ConfuserEx and deployed via DLL side-loading. Kaspersky identified three legitimate binaries abused for this purpose: BDSubWiz.exe (a Bitdefender component), VSTestVideoRecorder.exe (part of Microsoft Visual Studio), and GoogleDesktop.exe (a discontinued Google Desktop Search application). The malware can be invoked with command-line parameters specifying target browsers (Google Chrome or Microsoft Edge), whether to save a screenshot of the user profile as a PDF, and the system username under which the tool will run.

Once launched, Umbrij performs a series of preparatory actions on a compromised Windows host. It verifies the availability of the port designated for browser debugging, retrieves the user context by searching for 'explorer.exe' and duplicating its token to retain all logged-in user's privileges, and constructs the path to the browser application folder within the user's local application data. The malware then parses the Local State file corresponding to Chrome or Edge to gather information about stored browser user profiles.

Umbrij enumerates all profiles and scans them for a field named 'user_name' that includes an email address, the presence of an email address signals that the user is authenticated to a Google service. It creates a 'BackupFiles' directory within the browser's local appdata folders and copies critical profile files such as IndexedDB, Local Storage, Network, Login Data, Preferences, and Web Data. A force-copy mechanism ensures locked files are still copied.

Headless browser exploitation

The malware then searches the 'Program Files' and 'Program Files (x86)' folders for Chrome and Edge installations. It launches the browsers in headless mode using the copied profile, causing them to apply all active user cookies, including the signed-in Google account, and skip authentication. Using Puppeteer, a JavaScript library for controlling Chromium-based browsers via the Chrome DevTools Protocol, Umbrij connects to the remote debugging port and sends an authorization code request.

The HTTP GET request directs the browser to a Google OAuth URL at 'accounts.google.com/o/oauth2/v2/auth/identifier' with a 'client_id' corresponding to a migration tool used for importing local PST files and data from Microsoft Exchange accounts into a Google Workspace account. The request also specifies the set of permissions required by the application. JavaScript emulates mouse click events to select the appropriate Google account and grant full access to Gmail, Drive, Contacts, Calendar, and Tasks.

The browser session is redirected to a local address specified in the initial request, and the OAuth authorization code is extracted from the URL. 'Umbrij, like most other tools in ToddyCat's arsenal, logs its actions in detail and saves them to a file. It also saves the retrieved authorization code to this log file, which the operator subsequently exfiltrates from the compromised host,' Kaspersky noted.

Attribution and historical context

ToddyCat is the name assigned to an APT group that has been active since at least 2020, targeting organizations across Europe and Asia. The group has previously demonstrated interest in email data exfiltration. In November 2025, Kaspersky detailed ToddyCat's use of a custom tool called TCSectorCopy to steal Microsoft Outlook email data from targeted companies.

The Umbrij discovery is notable for its automation. 'The ToddyCat APT group continues to search for ways of compromising corporate email communications. Their new tool, Umbrij, automates the attackers' attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks but also demonstrates ToddyCat's strong motivation and advanced technical skills,' said Andrey Gunkin, senior malware analyst at Kaspersky.

Mitigation advice

To counter the threat, organizations and individuals should review the authorization codes granted to applications by navigating to 'myaccount.google.com/connections' and looking for applications named 'Google Workspace Migration for Microsoft Outlook' or 'Google Workspace Sync for Microsoft Outlook.' If either of those applications is present and not actually used, it is essential to revoke their access to invalidate the OAuth tokens. Given the sophistication of the attack, users are also advised to monitor browser extensions and ensure that Chromium-based browsers are kept up to date.