ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html

Publish Date: 2026-07-02 09:04:00

Source Domain: thehackernews.com

Ravie LakshmananJul 02, 2026API Security / Cyberespionage

The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that’s designed to gain surreptitious access to a victim’s email correspondence via the Google API.

“In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs,” Kaspersky said in a detailed report published this week. “Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources.”

The adversary is said to have developed Umbrij to acquire this token and use it to connect to the browser’s management console in headless mode via a remote debugging port.

Subsequently, a series of requests was issued to obtain an OAuth authorization code, which was then exchanged for an access token to reach the target resources via the API. The technique has been codenamed Shadow Token via Remote Debug (STRD) by the Russian cybersecurity vendor.

What’s notable about the attack is that it’s viable on Chromium-based browsers and exploits an active Gmail session. In other words, the idea is to launch the browser in headless mode, connect via the remote debugging port to seize control, and leverage an already logged-in Gmail session to obtain access to the Google account resources.

Three different versions of Umbrij have been uncovered, including versions that feature helper functions for debugging and for searching and selecting user accounts within the browser.

ToddyCat is the name assigned to an advanced persistent threat (APT) that has a history of targeting various organizations in Europe and Asia since at least 2020. In November 2025, Kaspersky detailed the hacking group’s use of a custom tool dubbed TCSectorCopy to lay their hands on Microsoft Outlook email data belonging to targeted companies.

The cybersecurity company said it discovered Umbrij during…

Source