ToddyCat: your hidden email assistant. Part 2
B Securelist ·
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key insight
ToddyCat develops specialized tools (Umbrij) to bypass EPP/EDR solutions through OAuth token theft via remote debugging port , an advanced technique for silent email compromise.
Description
The ToddyCat APT group deploys a newly developed malware called Umbrij to gain access to Gmail accounts via the Google API. The attack exploits a technique called Shadow Token via Remote Debug (STRD), which abuses the browser debugging port to exfiltrate OAuth authorization codes and exchange them for access tokens. After successfully obtaining tokens, attackers can read email resources via the API while evading detection by standard EPP/EDR solutions. The campaign systematically targets corporate mailboxes and automates all attack stages to remain undetected long-term.
Risk score
- strategic relevance
- 0.80
- consensus penalty
- -5.00
Path: strategic
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
VENDOR_MISMATCHVendor not found in alert title −5
- Consensus penalty:
- −5.0
- Total penalty:
- −5.0