Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

How access to Gmail accounts is gained

0
Medium
Published: 06/30/2026 (06/30/2026, 11:56:29 UTC)
Source: AlienVault OTX General

Description

The ToddyCat APT group developed a sophisticated tool called Umbrij to compromise Gmail corporate accounts through OAuth token theft. The malware exploits Chromium-based browsers by launching them in headless mode with remote debugging enabled, utilizing the Shadow Token via Remote Debug (STRD) technique. Umbrij automates the entire attack chain: it copies user profiles, launches browsers with debugging ports, connects via Puppeteer Sharp library, and manipulates OAuth flows by impersonating legitimate Google Workspace migration tools. The tool specifically targets client IDs for Google Workspace Migration for Microsoft Outlook and Google Workspace Sync applications, requesting extensive permissions for email, calendar, drive, and contacts. ToddyCat deploys Umbrij through DLL sideloading techniques using signed files from Bitdefender, Visual Studio, and Google Desktop Search. This automated approach enables scalable compromise of organizational email communications while evading traditional security monito...

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 14:22:10 UTC

Technical Analysis

Umbrij is a sophisticated malware tool developed by the ToddyCat APT group to compromise Gmail corporate accounts through OAuth token theft. It exploits Chromium-based browsers by launching them in headless mode with remote debugging enabled, using the Shadow Token via Remote Debug (STRD) technique. The malware automates the attack chain by copying user profiles, launching browsers with debugging ports, connecting via the Puppeteer Sharp library, and manipulating OAuth authorization flows by impersonating legitimate Google Workspace migration tools. It specifically targets client IDs associated with Google Workspace Migration for Microsoft Outlook and Google Workspace Sync applications, requesting extensive permissions to access email, calendar, drive, and contacts data. ToddyCat deploys Umbrij through DLL sideloading techniques, leveraging signed files from Bitdefender, Visual Studio, and Google Desktop Search to evade detection. This approach allows scalable compromise of organizational email communications while bypassing traditional security monitoring.

Potential Impact

Successful exploitation results in unauthorized access to corporate Gmail accounts by stealing OAuth tokens, potentially exposing sensitive email communications, calendar entries, drive files, and contacts. The attack leverages legitimate OAuth flows and trusted client IDs, increasing the likelihood of bypassing security controls. The use of DLL sideloading with signed binaries aids evasion of endpoint security solutions. There are no known exploits in the wild reported at this time.

Mitigation Recommendations

No official patch or remediation guidance is provided in the available data. Organizations should monitor for suspicious use of Chromium-based browsers in headless mode with remote debugging enabled and investigate DLL sideloading activities involving signed files from Bitdefender, Visual Studio, and Google Desktop Search. Reviewing OAuth client permissions and restricting use of Google Workspace migration tools where possible may reduce risk. Employing multi-factor authentication and monitoring OAuth token usage can help detect unauthorized access. Patch status is not yet confirmed — check vendor advisories and trusted threat intelligence sources for updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251/"]
Adversary
ToddyCat
Pulse Id
6a43aeed1ecda1a314aec59e
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domain2fuserinfo.email

Hash

ValueDescriptionCopy
hash9f5f2f0fb0a7f5aa9f16b9a7b6dad89f
hash28cb7b261f4eb97e8a4b3b0d32f8def1
hash1ab58838e5790efb22f2d35ab98c0b7d
hash22aaeb4946ba6d2f2e27feb7dbb295de
hash3432dd9ac0df80ef86eb80bd080f839b
hash3d3a621f852c42d97fd7260681e42508
hasha7d7d6c4c3f227f7117261c63b9e23a9
hashbae82a15d1dbfb024617b9b56a8e5f66
hashf169d6d172dfb775895a5e2b1540c854
hashf61fbfb7aa1cd5dc8f70b055b51563e2

Threat ID: 6a43cd7127e9c79719e718aa

Added to database: 06/30/2026, 14:06:41 UTC

Last enriched: 06/30/2026, 14:22:10 UTC

Last updated: 07/01/2026, 03:25:40 UTC

Views: 22

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses