A cyberespionage group known as ToddyCat has found a quiet way into corporate inboxes. Instead of phishing for passwords, it borrows a browser session the victim already has open. Researchers at Kaspersky, in a new analysis, have detailed a tool called Umbrij that hijacks a logged-in Chrome or Edge session to mint a Google OAuth token and read a target's Gmail through Google's own API, leaving little for monitoring tools to catch.
ToddyCat has spent months hunting corporate email while trying to stay ahead of endpoint defenses. Its earlier data-theft methods were reliably caught by EPP and EDR products, so the group built Umbrij specifically to slip past them and automate the whole operation. Any organization that runs corporate mail on Gmail or Google Workspace is in scope.
How the attack works
OAuth is the standard that lets one app reach your Google data without ever seeing your password, by handing it a token instead. Kaspersky calls ToddyCat's twist Shadow Token via Remote Debug (STRD). Chromium based browsers expose a remote debugging port for developers, and if the victim has not logged out of Gmail, the browser keeps an active session alive. Umbrij launches the browser in headless mode, connects to that debugging port to take control, and walks through an OAuth request inside the user's live session to obtain an authorization code. It then exchanges that code for an access token and uses it to reach Gmail and other Google services through the API. Because it rides a genuine session and speaks to Google's legitimate endpoints, there is no password prompt and nothing that looks obviously like malware.
How it gets onto the machine
Umbrij is a .NET DLL obfuscated with ConfuserEx, and Kaspersky found three versions. It arrives through DLL sideloading, in which a signed, legitimate executable is tricked into loading a malicious DLL placed alongside it. The observed carriers include Bitdefender's BDSubWiz.exe (loading log.dll), a Visual Studio test video recorder, and the long discontinued Google Desktop Search. To blend in, the attackers ran the tool from a scheduled task named KasperskyEndpointSecurityEDRAvp, impersonating security software that does not actually create such tasks.
This is the second tool Kaspersky has documented in ToddyCat's push to read corporate correspondence undetected, after earlier browser and email theft utilities. It fits a wider pattern of state aligned groups quietly abusing trusted services rather than dropping noisy malware, as seen with MuddyWater's DHCSpy surveillance tool and Kimsuky's use of legitimate remote access software.
What you should do
Defenders should watch for browsers launched with remote debugging flags, scheduled tasks that impersonate security agents, and DLL sideloading from the signed binaries listed above. On the identity side, review OAuth app grants and active sessions in Google Workspace, force session and token revocation for suspect accounts, and require users to fully log out rather than leaving Gmail sessions open indefinitely.
Indicators of compromise
Umbrij samples (MD5): 1ab58838e5790efb22f2d35ab98c0b7d, a7d7d6c4c3f227f7117261c63b9e23a9, 3d3a621f852c42d97fd7260681e42508, 3432dd9ac0df80ef86eb80bd080f839b. Kaspersky detects the tool as HEUR:Trojan-PSW.MSIL.Umbrij.gen.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.