How access to Gmail accounts is gained
Essential information
- Published
- 30/06/2026 13:56
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- chromium exploitation corporate espionage dll sideloading gmail compromise oauth token theft remote debugging toddycat tomberbil umbrij
- Related entities
- 1 indicators, 1 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware
Description
The ToddyCat APT group developed a sophisticated tool called Umbrij to compromise Gmail corporate accounts through OAuth token theft. The malware exploits Chromium-based browsers by launching them in headless mode with remote debugging enabled, utilizing the Shadow Token via Remote Debug (STRD) technique. Umbrij automates the entire attack chain: it copies user profiles, launches browsers with debugging ports, connects via Puppeteer Sharp library, and manipulates OAuth flows by impersonating legitimate Google Workspace migration tools. The tool specifically targets client IDs for Google Workspace Migration for Microsoft Outlook and Google Workspace Sync applications, requesting extensive permissions for email, calendar, drive, and contacts. ToddyCat deploys Umbrij through DLL sideloading techniques using signed files from Bitdefender, Visual Studio, and Google Desktop Search. This automated approach enables scalable compromise of organizational email communications while evading traditional security monito...