ToddyCat APT's Umbrij Tool: Gmail OAuth Token Theft via DLL Sideloading and Browser Remote Debugging
Source report →ToddyCat is an APT group tracked by Kaspersky (MITRE ATT&CK G1022) with confirmed activity dating back to at least December 2020, historically associated with intrusions against government, military and diplomatic entities across Europe and Asia. Kaspersky's latest research documents a new purpose built tool, Umbrij, that the group deploys post-compromise to pivot from endpoint access into durable control of a victim's corporate email. Rather than harvesting a password, Umbrij steals an OAuth authorization token for the victim's Gmail or Google Workspace account, giving the operator standing access to mail and connected Google services that survives a password reset and does not require re-exploiting the endpoint.
Umbrij assumes the attacker already has code execution on the host and is built almost entirely around staying invisible while it operates. It loads via DLL sideloading, riding inside three unrelated but legitimately signed applications, so each malicious DLL inherits the trust of its signed host process. Persistence is handled by a scheduled task disguised as a Kaspersky endpoint security component, and the tool raises its effective privileges by duplicating the access token already held by the explorer.exe process rather than exploiting a vulnerability, a technique that also gives it a stable, user-context identity to operate under.
Once running, Umbrij copies the victim's Chrome or Edge browser profile into a separate backup folder so it can work against an already authenticated session without disturbing the live profile, then flips a Chrome policy registry value to permit developer tools before launching the browser headlessly with a remote debugging port enabled. Driving the browser over the DevTools protocol through the Puppeteer Sharp automation library, obfuscated .NET code that Kaspersky notes is protected with ConfuserEx, it walks the copied session through Google's OAuth consent flow under the identity of Google's own Workspace Migration and Workspace Sync client applications, captures the resulting authorization code, and can target specific victim profiles by reading the browser's Local State file for cached account email addresses. Every step of this, including the harvested OAuth codes, is written to a log file that operators later retrieve.
The detail that makes this campaign notable is that the stolen access rides through Google's own, genuinely signed Workspace Migration and Workspace Sync applications rather than a newly registered or unfamiliar OAuth client. To a defender or an end user reviewing connected apps, the resulting grant looks like a routine third-party mail migration tool rather than a suspicious new integration, which is precisely what lets the token persist unnoticed.
IOCs (7)
Scan your environment for IOCs →MD5 FILE HASH 7
1ab58838e5790efb22f2d35ab98c0b7da7d7d6c4c3f227f7117261c63b9e23a93d3a621f852c42d97fd7260681e425083432dd9ac0df80ef86eb80bd080f839b22aaeb4946ba6d2f2e27feb7dbb295def61fbfb7aa1cd5dc8f70b055b51563e2f169d6d172dfb775895a5e2b1540c854Detections (9)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- API Access Authorized in Google Workspace
- DLL Sideloading of known binaried abused by Toddycat APT
- Chrome Policy Registry Value Disabling DeveloperToolsAvailability Restriction
- Process Executed With Distinctive Umbrij Command-Line Flags
- Scheduled Task Masquerading as Kaspersky Endpoint Security EDR (KasperskyEndpointSecurityEDRAvp)
- Explorer.exe Access Token Duplicated by a Non-System Process
- Browser Local State File Read by Non-Browser Process to Enumerate Cached Account Profiles
- Non-Browser Process Directly Accessing Chrome/Edge Credential and Session Storage Files