# ToddyCat and Umbrij: When OAuth Becomes the New Target of APT Campaigns

## Overview

The recent campaign recorded by the APT ToddyCat group targets businesses using the Google Workspace (Gmail) email service. By using a specialized tool called Umbrij, attackers do not try to crack passwords or bypass MFA in the traditional way. Instead, they take control of active Chromium login sessions on the workstation through the browser's debug protocol, thereby granting themselves OAuth permissions to the Google Workspace migration application.

The biggest risk of this form is persistence at the API level: after obtaining the OAuth token, the attacker can continuously read emails, download files on Drive and collect the victim's schedule even if they change their password or enable MFA. Traditional Endpoint monitoring (EDR) and Antivirus solutions often miss this behavior because the token request process is legitimate Chromium browsers (Chrome, Microsoft Edge) running under the user's own authority.

## About APT ToddyCat

### Who Is APT ToddyCat?

ToddyCat is not a new name in the world of threat intelligence. Since it was first announced by Kaspersky GReAT in mid-2022, this group has continuously put pressure on government agencies and military organizations in Asia and Eastern Europe through long-term, industrial-scale espionage campaigns. What makes ToddyCat a formidable opponent lies not in its simple technical sophistication, but in its ability to constantly change tactics to adapt to the technological shift of its targets — from physical Exchange servers to now Google's SaaS ecosystem.

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/ae980fd7-fe35-442d-8e50-e57c427377a6.png align="center")

### Identification and Attribution

| **Attribute** | **Details** |
| --- | --- |
| **Threat Group** | ToddyCat |
| **MITRE ATT&CK Group ID** | G1022 |
| **Known Aliases** | **Needs verification:** No widely accepted aliases from other security vendors have been confirmed. |
| **First Observed** | Active since at least **December 2020**, first identified targeting **Microsoft Exchange servers** in **Taiwan** and **Vietnam**. |
| **Sophistication** | **High** — Develops custom malware and offensive tooling with minimal reliance on publicly available or commodity malware. |
| **Suspected Affiliation** | Activities are consistent with the geopolitical interests of the **People's Republic of China**, according to multiple threat intelligence analyses. **(Assessment; attribution remains unconfirmed.)** |
| **Primary Motivation** | **Cyber Espionage** — Collection of strategic intelligence and long-term information gathering against targeted organizations. |

### Target Scope

ToddyCat prioritizes organizations with high intelligence value, especially in the following industries:

*   Government and Foreign Affairs — ministries, departments, ministerial-level branches; embassies and diplomatic missions
    
*   Defense and Military — commands, defense contractors, weapons research agencies
    
*   Telecommunications — mobile network operators, international fiber optic infrastructure providers
    
*   Finance and Energy — to a lesser extent, mainly in 2023 and beyond
    

In terms of geography, countries with confirmed or high reliability attacks include: Vietnam, Taiwan, Kazakhstan, Uzbekistan, Kyrgyzstan, India, Indonesia, Iran, and some Eastern European countries. Vietnam appeared right from the group's early stages, showing that this is one of ToddyCat's priority geographical focuses.

### Operation History

Phase 1 (December 2020 – February 2021) — Selective Exploration

ToddyCat began its operation by compromising a small number of Microsoft Exchange servers in Taiwan and Vietnam through an unknown vulnerability. At this stage, the team operates very carefully and selectively, avoiding leaving extensive traces.

Phase 2 (February 2021 – September 2021) — ProxyLogon Exploitation and Scaling

When Microsoft announced the ProxyLogon vulnerability chain in March 2021, ToddyCat quickly escalated its activities and exploited these vulnerabilities to compromise a series of organizations across Asia and Europe. This is the first time the group has revealed its true scale and ability to operate in parallel on multiple victims at the same time. The main tools at this stage are the China Chopper webshell and the Samurai Backdoor — a passive backdoor designed to receive commands over legitimate HTTP/HTTPS protocols.

Phase 3 (September 2021 – 2022) — Deployment of Ninja Trojan and Lateral Movement

From September 2021, the team began deploying Ninja Trojan - a more complex post-exploitation tool, supporting C2 multi-channel, running in-memory, capable of proxying traffic through many intermediary layers to hide the real infrastructure. Ninja Trojans are often distributed through ZIP files sent via Telegram, abusing legitimate messaging channels to avoid being blocked by corporate firewalls.

Phase 4 (2023 – 2025) — “Industrialized” Data Theft and Technical Escalation

This period marked a major strategic shift: instead of stopping at maintaining a presence in the internal network, ToddyCat focused strongly on collecting and exfiltrating huge volumes of data from the enterprise email system.

Phase 5 (2026 – Present) — Umbrij and Cloud API Attacks

The arrival of Umbrij is the next step in ToddyCat's technical escalation path. Instead of attacking a physical email server or reading email files directly from the drive, the group turned to abusing the official API interface of cloud services — a technique that is much harder to detect because all connection traffic goes through Google's legitimate HTTPS endpoints.

### Tools and Techniques

| **Tool** | **Purpose** | **Notable Techniques** |
| --- | --- | --- |
| **TCSectorCopy** | Extracts Microsoft Outlook **OST/PST** data even when the files are locked or in use. | Sector-by-sector disk reading, bypassing file locks. |
| **TomBerBil** | Collects browser cookies and credentials from multiple workstations within the environment. | Executed from a Domain Controller, SMB-based lateral collection. |
| **XstReader** | Reads email data directly from **.xst** files on disk without relying on Outlook. | File carving, raw disk access. |
| **TCESB** | Exploits **CVE-2024-11859** in the ESET Command Line Scanner to achieve privilege escalation or security bypass. | **BYOVD (Bring Your Own Vulnerable Driver)**. |
| **SharpTokenFinder / ProcDump** | Extracts Microsoft 365 OAuth tokens from the memory of running processes. | Process memory dumping, OAuth token harvesting. |

## Technical Analysis

### Chain Intrusion and DLL Side-loading Techniques

ToddyCat establishes a presence on the workstation through a chain of files distributed using spear-phishing or exploiting previous vulnerabilities. The attacker creates a Scheduled Task on the Windows operating system impersonating a security solution called KasperskyEndpointSecurityEDRAvp.

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/9effbdc6-51a1-4b08-bf44-21cc6935bc27.png align="center")

This Scheduled Task will execute a legitimate process that is digitally signed but is vulnerable to the DLL Side-loading mechanism. The analysis team noted 3 legitimate executable files were abused in this campaign including:

1.  BDSubWiz.exe (Submission Wizard component of Bitdefender ConnectAgent)
    
    ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/2a071f2a-50de-4158-b44e-4c624a723898.png align="center")
    
2.  VSTestVideoRecorder.exe (Microsoft Visual Studio Experimental Video Recorder)
    
3.  GoogleDesktop.exe (Old Google Desktop Search app discontinued)
    

When one of these files is run, it automatically loads a rogue dynamic link library (DLL) placed in the same directory. This malicious DLL is the loader of Umbrij - a tool written on the .NET platform and thoroughly encrypted/obfuscated with ConfuserEx to hinder the decompilation and static analysis of antivirus solutions.

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/cb818b50-688e-4555-b280-9dc5d8095630.png align="center")

### Detailed Technical Analysis

When activated, Umbrij performs a sophisticated control process on the victim's machine to hijack browser access:

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/0f1fc220-6a65-457d-9220-4260d61f9ce0.png align="center")

#### Step 1: Steal Process Tokens and Collect Browser Profiles

*   Duplicate Process Token: To operate without arousing suspicion and fully inherit the victim's rights, Umbrij searches for the explorer.exe process of the currently logged in user. It clones the process's security token. Additionally, the malware supports the -user command line parameter to explicitly specify the target identity to impersonate.
    

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/c2e87b1b-d6c9-4489-9b61-e603e4024b89.png align="center")

*   Scan Profile information: The malicious code accesses the Local State file in the application data folder of Google Chrome or Microsoft Edge to list all user profiles. It searches for profiles whose user\_name field contains the email address format (a sign that the user is logged into a Google account).
    

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/b588437a-3fec-4e4c-bf62-3242d07bc95c.png align="center")

*   Backup Browser Data: To avoid locking files while the user's browser is open, Umbrij creates a temporary folder named BackupFiles at %LOCALAPPDATA%\\Google\\Chrome\\ or %LOCALAPPDATA%\\Microsoft\\Edge. Then, it copies all sensitive folders and files related to the target profile's session including: IndexedDB, Local Storage, Network, Login Data, Login Data For Account, Preferences, Secure Preferences, and Web Data. If any files are locked, the malware will trigger the force-copy process to force the copy.
    

#### Step 2: Launch Headless Chromium and Control with Puppeteer

*   Launch Headless Browser: Umbrij finds the Chrome or Edge installation path in the Program Files folder and launches the process in headless mode using data from the copied BackupFiles folder. The browser run command line includes parameters specifying the remote debugging port (--remote-debugging-port=).
    
*   Bypass 2FA/MFA Authentication: Because it runs with a profile copy containing the full session cookie of the active user, this hidden browser session automatically inherits the valid login status of the Google/Gmail account without needing to reactivate authentication steps such as password or OTP code sent to the phone.
    
*   Control via Chrome DevTools Protocol: Umbrij has a built-in Puppeteer library (or an equivalent library controlling Chrome DevTools Protocol) to connect directly to the debug port of a running headless session. From here, the malicious code has full authority to send commands to execute JavaScript code and interact with the website like a user manipulating the mouse and keyboard.
    

## Google Workspace API Abuse and Exfiltration

Once in control of the browser session, Umbrij took steps to abuse Google's API to establish permanent access:

*   Trusted Migration Application Client ID Abuse: The attacker does not register a new third-party application (which is easily detected and alerted by Google Security). Instead, they abuse Google's own legitimate Client IDs for data conversion tools, specifically:
    
    *   **Google Workspace Migration for Microsoft Outlook (GWMME)**
        
    *   **Google Workspace Sync for Microsoft Outlook (GWSMO)**
        

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/96d8cf40-6210-476f-8984-844b95b8339e.png align="center")

*   Sending an OAuth Authentication Request: Through Puppeteer, the malware controls the browser to navigate to Google's OAuth authentication URL: https://accounts.google.com/o/oauth2/v2/auth/identifier... In the parameters of this URL, the malware passes the Client ID of the Outlook migration tool mentioned above, along with extremely broad permission requests (scopes):
    
    *   Full permission to read, send and manage emails ([https://mail.google.com/](https://mail.google.com/))
        
    *   File access on Google Drive
        
    *   Permission to read and write contacts (Contacts), schedules (Calendars) and tasks (Tasks).
        

![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/2f768645-d375-4d39-8227-ed66f9de8c7a.png align="center")

*   Simulate Consent Approval: When the OAuth authorization page is displayed, Umbrij injects JavaScript code to automatically click on the victim's Google account, then click the "Allow" button to confirm authorization for the migration application.
    
*   Extract Authorization Code: After clicking OK, Google will redirect the browser session to a local loopback address with the Authorization Code attached to the URL. Umbrij captures this redirect request, extracts the Authorization Code string and writes it directly to the malicious log file on the victim's machine.
    
*   Token Revocation: The log file containing the Authorization Code is then collected (exfiltrate) externally by the ToddyCat team through other C2 channels. At the attacker's server, this code string is sent to Google's server in exchange for OAuth Access Token and Refresh Token. From this point forward, an attacker can connect directly to the Google Workspace API from anywhere to download the victim's entire mailbox and data without further interaction with the workstation.
    

## Campaign Risk Summary

ToddyCat's Operation Umbrij was no ordinary attack. Its level of risk needs to be assessed across multiple dimensions: not just the technical capabilities of the malware, but also the defense blind spots that the technique exploits and the lingering business consequences even after the breach is discovered.

| **Risk Dimension** | **Severity** | **Rationale** |
| --- | --- | --- |
| **Detectability** | **Low** | Leverages legitimate browser processes (e.g., **chrome.exe**, **msedge.exe**) while C2 and OAuth communications are conducted over encrypted HTTPS connections to legitimate Google domains, making detection difficult. |
| **Data Impact** | **Critical** | Grants full access to Gmail, Google Drive, Calendar, and Contacts, potentially exposing the victim's entire business-related Google Workspace data. |
| **Persistence** | **Very High** | OAuth refresh tokens remain valid independently of the user's password and MFA status. Password resets alone do not revoke the attacker's access. |
| **Blast Radius** | **High** | A single compromised workstation can be leveraged to obtain OAuth tokens for multiple Google accounts configured within the same browser profile. |
| **Attacker Skill Requirement** | **High** | Requires advanced expertise in custom .NET malware development, Chrome DevTools Protocol (CDP), and the OAuth authorization workflow. |
| **Scalability** | **High** | Fully automated operation enables a single Umbrij deployment to process multiple browser profiles and Google accounts in parallel. |

## **IOC & Artifacts**

### **Host-based Indicators**

*   Suspicious Scheduled Task:
    
    *   Task name: KasperskyEndpointSecurityEDRAvp
        
    *   Execution Path: Points to folders containing abused legitimate binary files (BDSubWiz.exe, VSTestVideoRecorder.exe, GoogleDesktop.exe) located alongside malicious DLL files without digital signatures.
        
*   Profile backup folder path:
    
    *   `%LOCALAPPDATA%\Google\Chrome\BackupFiles\`
        
    *   `%LOCALAPPDATA%\Microsoft\Edge\BackupFiles\`
        
*   Umbrij log file output:
    
    *   Check the text log files generated in the user's temporary application folders containing activity schedules and collected OAuth code strings.
        

### **Network Indicators**

*   Process behavior:
    
    *   The headless chrome.exe or msedge.exe process contains the debug command line parameter: --remote-debugging-port=
        
    *   The browser process is launched from the explorer.exe mirror authority but has no user interface displayed on the desktop.
        

### **Malicious files**

*   1AB58838E5790EFB22F2D35AB98C0B7D
    
*   A7D7D6C4C3F227F7117261C63B9E23A9
    
*   3D3A621F852C42D97FD7260681E42508
    
*   3432DD9AC0DF80EF86EB80BD080F839B
    
*   22AAEB4946BA6D2F2E27FEB7DBB295DE
    
*   F61FBFB7AA1CD5DC8F70B055B51563E2
    
*   F169D6D172DFB775895A5E2B1540C854
    
*   9F5F2F0FB0A7F5AA9F16B9A7B6DAD89F
    
*   28CB7B261F4EB97E8A4B3B0D32F8DEF1
    
*   BAE82A15D1DBFB024617B9B56A8E5F66
    

## **MITRE ATT&CK Mapping**

| **Tactic** | **Technique ID** | **Technique Name** | **Observed Activity in the Campaign** |
| --- | --- | --- | --- |
| **Persistence / Privilege Escalation** | **T1053.005** | **Scheduled Task/Job: Scheduled Task** | Uses the **KasperskyEndpointSecurityEDRAvp** scheduled task to maintain persistence and automatically execute the Umbrij payload. |
| **Defense Evasion** | **T1574.002** | **Hijack Execution Flow: DLL Side-Loading** | Exploits legitimate binaries such as **Bitdefender**, **Visual Studio Test Video Recorder**, and **Google Desktop** to side-load the malicious Umbrij DLL. |
| **Defense Evasion** | **T1134** | **Access Token Manipulation** | Duplicates the security access token from **explorer.exe** to impersonate the logged-on user and execute under a legitimate security context. |
| **Credential Access** | **T1539** | **Steal Web Session Cookie** | Copies browser cookie and session storage files from Chrome/Edge into a local **BackupFiles** directory for later use. |
| **Credential Access / Defense Evasion** | **T1556.007** | **Modify Authentication Process: Hybrid Identity** | Abuses the OAuth 2.0 authorization flow to register a rogue third-party application and obtain persistent OAuth credentials ("Shadow Token") under the victim's identity. |
| **Collection** | **T1114.002** | **Email Collection: Office 365 / Google Workspace Mailbox** | Collects email directly from **Google Workspace** via the Google APIs using stolen OAuth access tokens. |

## Expert Comments

The Shadow Token via Remote Debug (STRD) technique applied by the ToddyCat team in this campaign reflects a dangerous trend in the world of cybersecurity: The incapacity of traditional MFA mechanisms against API-level attacks.

Attackers understand that businesses today have mostly implemented MFA on email. Therefore, instead of trying to bypass this protection from the outside, they redirect their attacks inside the system—where the login session has been successfully authenticated by the user. By using the debug protocol available on Chromium browsers (a feature designed for programmers), the attacker turns the legitimate browser on the victim's machine into a tool that makes permission requests.

Misusing the Client ID of Google's official migration tools (GWMME/GWSMO) is a very wise move. These tools inherently have huge default powers for data synchronization. Therefore, the fact that they request full permission to read Gmail or Drive will not cause Google's monitoring system to flag a warning like it does strange applications from unverified developers.

For organizations in Vietnam, especially businesses that are strongly moving their information technology infrastructure to Google Workspace, this is a big wake-up call. Information security no longer stops at applying a strong password policy or requiring OTP to be enabled. If an employee's workstation is compromised to a level that allows sideloading, all of that enterprise's cloud data will also be exposed through legitimate API connections that perimeter defenses cannot prevent.

## Recommendation

### Urgent (0-24h)

1.  Review associated application permissions (OAuth Grants): Require all users or Google Workspace administrators to scan and revoke permissions for the following applications if there is no need for actual use:
    
    *   *Google Workspace Migration for Microsoft Outlook*
        
    *   *Google Workspace Sync for Microsoft Outlook*
        
    *   Quick check link for individual users: myaccount.google.com/connections
        
2.  Check for unusual Scheduled Tasks: Use PowerShell or a system monitoring tool to scan and detect Scheduled Tasks whose names contain the phrase KasperskyEndpointSecurity but point to non-Kaspersky folders (for example, the user's Temp folder, Local AppData).
    

### Short term (1-7 days)

1.  Building detection rules on EDR/SIEM:
    
    *   Warn when a browser process (chrome.exe, msedge.exe) launches with the --remote-debugging-port parameter combined with the --headless parameter or points user data (--user-data-dir) to temporary paths such as BackupFiles.
        
    *   Monitor the behavior of mass copying sensitive browser configuration files from the User Data folder to other subfolders.
        
2.  Configure API policy on Google Workspace Console: Only allow pre-configured OAuth applications in the organization's Trustlist to connect to the system's API. Block employees' right to arbitrarily link third-party applications without administrator approval (Admin Approval).
    

### Long term

1.  Apply the Zero Trust model on Endpoint:
    
    *   Prevent the execution of files of unknown origin from temporary folders (AppData\\Local\\Temp, Downloads).
        
    *   Tightly control Scheduled Task registration and execution through group policy (GPO) or Endpoint Protection solution.
        
2.  Security awareness training: Enhance phishing drill campaigns to prevent employees from clicking and opening attachments containing malicious loader code to perform DLL side-loading behavior.
    

## Reference

[ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API](https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html)

[How the ToddyCat APT group gains access to Gmail accounts | Securelist](https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251/)

[ToddyCat’s Umbrij Malware Hijacks Gmail Access Using OAuth Tokens Instead of Passwords | SecureReading ToddyCat Umbrij Malware Uses OAuth to Compromise Gmail Accounts Through Google API](https://securereading.com/toddycat-umbrij-gmail-oauth-malware-google-api/)
