ToddyCat's Umbrij Malware Exploits OAuth Tokens to Hijack Gmail Sessions
Kaspersky researchers have uncovered a sophisticated new malware dubbed Umbrij, attributed to the advanced persistent threat group ToddyCat, which leverages the Google API and OAuth 2.0 protocol to covertly access corporate Gmail inboxes. The technique, internally codenamed Shadow Token via Remote Debug (STRD), exploits active sessions in Chromium-based browsers by launching them in headless mode and connecting through a remote debugging port. Once connected, the malware seizes control of the browser, harvests an OAuth authorization code from the authenticated session, and exchanges it for an access token that unlocks the victim's email resources via the API.
The attack chain begins with a scheduled task impersonating Kaspersky software ("KasperskyEndpointSecurityEDRAvp") that launches a digitally signed file. This signed binary then performs DLL side-loading to execute the rogue Umbrij payload, a .NET assembly obfuscated with ConfuserEx. Analysts identified three vulnerable legitimate binaries being abused for this purpose: BDSubWiz.exe (Bitdefender ConnectAgent), VSTestVideoRecorder.exe (Microsoft Visual Studio testing tool), and the now-discontinued GoogleDesktop.exe. Three distinct versions of Umbrij were recovered during a threat hunting operation, with later builds including helper functions for browser debugging and automated user account discovery. Operators can also pass command-line parameters specifying whether to target Google Chrome or Microsoft Edge.
ToddyCat is a well-documented APT group that has targeted organizations across Europe and Asia since at least 2020. Kaspersky previously detailed the group's TCSectorCopy tool in November 2025, which was used to steal Outlook email data from corporate environments, signaling a sustained focus on email-based espionage. The Umbrij campaign reinforces this pattern, with attackers specifically prioritizing Gmail-hosted corporate communications rather than personal accounts.
To reduce exposure to browser-borne credential theft, security teams should verify that remote debugging ports are never left exposed on endpoints. Administrators can audit their browser attack surface with a port scanner, while individual users concerned about account compromise can run an email breach checker to confirm whether their Gmail credentials have surfaced in known leaks, and a browser fingerprint test to assess how identifiable their browser environment is to trackers and malicious scripts.