Skip to content
Auto-CTI
Back to today
NEW ToddyCat CRITICAL B3

ToddyCat: your hidden email assistant. Part 2

B Securelist ·

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key insight

ToddyCat develops specialized tools (Umbrij) to bypass EPP/EDR solutions through OAuth token theft via remote debugging port , an advanced technique for silent email compromise.

Description

The ToddyCat APT group deploys a newly developed malware called Umbrij to gain access to Gmail accounts via the Google API. The attack exploits a technique called Shadow Token via Remote Debug (STRD), which abuses the browser debugging port to exfiltrate OAuth authorization codes and exchange them for access tokens. After successfully obtaining tokens, attackers can read email resources via the API while evading detection by standard EPP/EDR solutions. The campaign systematically targets corporate mailboxes and automates all attack stages to remain undetected long-term.

Risk score

75
strategic relevance
0.80
consensus penalty
-5.00

Path: strategic

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • VENDOR_MISMATCH Vendor not found in alert title −5
Consensus penalty:
−5.0
Total penalty:
−5.0
ESC