216.73.216.128

How access to Gmail accounts is gained

· Published 30/06/2026 13:56

Export JSON

Essential information

Published
30/06/2026 13:56
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
chromium exploitation corporate espionage dll sideloading gmail compromise oauth token theft remote debugging toddycat tomberbil umbrij
Related entities
1 indicators, 1 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware

Description

The APT group developed a sophisticated tool called Umbrij to compromise Gmail corporate accounts through . The malware exploits Chromium-based browsers by launching them in headless mode with remote debugging enabled, utilizing the Shadow Token via Remote Debug (STRD) technique. Umbrij automates the entire attack chain: it copies user profiles, launches browsers with debugging ports, connects via Puppeteer Sharp library, and manipulates OAuth flows by impersonating legitimate Google Workspace migration tools. The tool specifically targets client IDs for Google Workspace Migration for Microsoft Outlook and Google Workspace Sync applications, requesting extensive permissions for email, calendar, drive, and contacts. deploys Umbrij through techniques using signed files from Bitdefender, Visual Studio, and Google Desktop Search. This automated approach enables scalable compromise of organizational email communications while evading traditional security monito...

External references