ToddyCat Uses OAuth Abuse to Silently Compromise Corporate Gmail Accounts
- Javier Conejo del Cerro
- 2 jul
- 2 min de lectura

Researchers at Kaspersky have uncovered Umbrij, a new malware attributed to the ToddyCat advanced persistent threat (APT). Instead of stealing passwords or bypassing authentication directly, Umbrij abuses Google’s OAuth authorization process to obtain legitimate access tokens, allowing attackers to access corporate Gmail accounts through official Google APIs.
The technique, dubbed Shadow Token via Remote Debug (STRD), demonstrates how trusted authentication mechanisms can be weaponized once an attacker gains access to an already logged-in endpoint.
Phase 1 – DLL Side-Loading Delivers Umbrij
The infection begins by abusing legitimate signed Windows applications vulnerable to DLL side-loading.
Components from Bitdefender, Microsoft Visual Studio, and the legacy Google Desktop application are leveraged to execute the malicious Umbrij DLL while blending into normal system activity.
Once launched, the malware gathers information about Chrome and Microsoft Edge installations, browser profiles, and authenticated Google accounts.
Phase 2 – Hijacking an Existing Gmail Session
Rather than attempting to steal passwords, Umbrij copies the victim’s browser profile—including cookies and authentication data—and launches Chrome or Edge in headless mode using a remote debugging port.
The malware connects through Puppeteer and silently navigates Google’s OAuth authorization workflow using the victim’s active session.
By simulating user interaction, it authorizes a legitimate Google Workspace migration application and retrieves an OAuth authorization code without requiring the victim to log in again.
Phase 3 – Full API Access to Corporate Data
The authorization code is exchanged for an OAuth access token, giving attackers legitimate API access to Google services.
Depending on the granted permissions, attackers can access:
Gmail
Google Drive
Contacts
Calendar
Google Tasks
Because access occurs through Google’s official APIs, malicious activity can closely resemble legitimate application behavior, making detection significantly more difficult.
Phase 4 – Automation at Scale
Umbrij logs every step of the compromise, stores the retrieved authorization code, and prepares it for exfiltration.
The malware also supports multiple browser profiles, command-line options, screenshots of user profiles, and extensive debugging features, allowing operators to automate compromises across numerous corporate endpoints with minimal interaction.
This represents another evolution in ToddyCat’s long-running focus on corporate email espionage.
Defense Measures
Organizations should immediately:
Review OAuth applications connected to Google Workspace accounts.
Remove unauthorized applications such as Google Workspace Migration for Microsoft Outlook or Google Workspace Sync for Microsoft Outlook if they are not legitimately used.
Monitor browser launches using remote debugging ports.
Detect DLL side-loading activity involving signed binaries.
Monitor browser profile cloning and suspicious Puppeteer activity.
Strengthen endpoint detection and response (EDR) capabilities.
Audit privileged Google Workspace accounts regularly.
Apply the principle of least privilege to OAuth application permissions.
Conclusions
Umbrij highlights how attackers are increasingly shifting from credential theft toward abusing legitimate authentication mechanisms.
By leveraging existing browser sessions and Google’s own OAuth infrastructure, ToddyCat can obtain persistent access to corporate email without triggering traditional login alerts or requiring stolen passwords.
As organizations continue adopting cloud collaboration platforms, monitoring OAuth permissions and trusted application authorizations becomes just as critical as protecting user credentials. Modern attacks increasingly target trust relationships rather than authentication itself, making identity governance an essential layer of enterprise security.




Comentarios