MalwareUsed by 2 actors

Umbrij

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

ToddyCat

To acquire this token, the threat actors developed a tool called Umbrij and used it to connect to the browser’s management console in headless mode via a remote debugging port. Through a series of requests, they obtained an OAuth authorization code, which they subsequently exchanged for an access token to reach the target resources via the API.

via securelistsecurelist.com

APT ToddyCat

Чтобы получить этот токен, злоумышленники создали инструмент Umbrij и с его помощью подключались к консоли управления браузером в скрытом режиме (headless) через отладочный порт. Посредством нескольких запросов они получали код авторизации OAuth, который впоследствии обменивали на токен для доступа к целевым ресурсам через API.

via securelist rusecurelist.ru

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

4 techniques

T1053Scheduled Task/JobEvidence1

на одном из пользовательских хостов выполнялась задача по расписанию KasperskyEndpointSecurityEDRAvp, которая запускала файл с цифровой подписью.

T1053.005Scheduled TaskEvidence1

a scheduled task, KasperskyEndpointSecurityEDRAvp, was running on a user host... the attackers were attempting to masquerade their malicious activity as a legitimate process.

T1059.007JavaScriptEvidence1

Инструмент использует JavaScript для эмуляции клика мышью по найденным элементам, что позволяет перейти на следующий шаг.

T1574.001DLLEvidence2

The signed file then used the DLL sideloading technique to load the malicious tool.

Persistence

2 techniques

T1053Scheduled Task/JobEvidence1

T1053.005Scheduled TaskEvidence1

a scheduled task, KasperskyEndpointSecurityEDRAvp, was running on a user host... the attackers were attempting to masquerade their malicious activity as a legitimate process.

Privilege Escalation

3 techniques

T1053Scheduled Task/JobEvidence1

T1053.005Scheduled TaskEvidence1

a scheduled task, KasperskyEndpointSecurityEDRAvp, was running on a user host... the attackers were attempting to masquerade their malicious activity as a legitimate process.

T1134.003Make and Impersonate TokenEvidence2

It searches the system for the explorer.exe process and duplicates its token, retaining all of its privileges (T1134.003 Access Token Manipulation: Make and Impersonate Token).

Stealth

4 techniques

T1027Obfuscated Files or InformationEvidence1

Сам инструмент представляет собой DLL-библиотеку, написанную на .NET и обфусцированную с помощью ConfuserEx

T1036MasqueradingEvidence1

Решения «Лаборатории Касперского» не создают запланированные задачи с таким именем — злоумышленники пытались замаскировать вредоносную активность под легитимный процесс.

T1134.003Make and Impersonate TokenEvidence2

It searches the system for the explorer.exe process and duplicates its token, retaining all of its privileges (T1134.003 Access Token Manipulation: Make and Impersonate Token).

T1574.001DLLEvidence2

The signed file then used the DLL sideloading technique to load the malicious tool.

Credential Access

2 techniques

T1539Steal Web Session CookieEvidence1

The browser process runs in headless mode while utilizing the copied user profile. Consequently, all active user cookies are applied, which means sites with saved credentials will skip authentication prompts.

T1649Steal or Forge Authentication CertificatesEvidence2

Through a series of requests, they obtained an OAuth authorization code, which they subsequently exchanged for an access token to reach the target resources via the API.

Lateral Movement

1 technique

T1021.007Cloud ServicesEvidence1

разработали новый инструмент для получения доступа к ресурсам облачного аккаунта жертвы посредством Google API.

Collection

3 techniques

T1005Data from Local SystemEvidence2

The tool copies the following user files and folders of each target user profile into these directories: IndexedDB ... Local Storage ... Network ... Login Data ... Preferences ... Web Data

T1119Automated CollectionEvidence1

С его помощью группа автоматизировала все этапы атаки, что позволило ей оставаться незамеченной средствами мониторинга.

T1185Browser Session HijackingEvidence1

Если пользователь не вышел из своей учетной записи Gmail, браузер будет хранить его сессию авторизации. Используя это, атакующие запускают браузер, подключаются через отладочный порт для управления и делают запрос к сервису Gmail на предоставление доступа к ресурсам учетной записи Google в рамках сохраненной пользовательской сессии.

Command and Control

1 technique

T1219Remote Access ToolsEvidence1

Далее браузеру передаются параметры ... --remote-debugging-port={2} ... --headless ... Далее инструмент подключается к отладочному порту с помощью библиотеки Puppeteer Sharp

Exfiltration

1 technique

T1567.001Exfiltration to Code RepositoryEvidence1

It also saves the retrieved authorization code to this log file, which the operator subsequently exfiltrates from the compromised host.

INDICATORS OF COMPROMISE

IOCs tracked for this family

7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

7 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

securelist ruNews

Jun 30, 2026

Как APT-группа ToddyCat получает доступ к почте Gmail | Securelist

Инструмент APT ToddyCat для компрометации Gmail/Google account access через Chromium remote debugging. Он копирует профиль браузера жертвы, запускает Chrome/Edge в headless-режиме с remote-debugging-port, автоматизирует OAuth consent flow через Google API, извлекает OAuth authorization code и тем самым получает доступ к корпоративной почте и другим ресурсам Google через API.

securelistNews

May 13, 2021

How the ToddyCat APT group gains access to Gmail accounts | Securelist

A .NET tool used by ToddyCat to compromise Gmail/Google Workspace accounts by abusing Chromium remote debugging, copied browser profiles, and OAuth flows to steal authorization codes and obtain access tokens for Google APIs. It automates account selection and consent clicks, logs results, and supports DLL sideloading-based execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching7

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.