KASPERSKY Lab has identified a new method used by the ToddyCat group to compromise corporate Gmail accounts. The attack utilizes a toolkit called Umbrij, which exploits APIs to access user data (emails, calendars, etc.) without the need for login credentials. Attackers gain access through Chromium-based browsers by exploiting saved login sessions. Researchers named this technique Shadow Token via Remote Debug (STRD).
They emphasize the importance of monitoring unusual activities and suggest auditing third-party applications to mitigate risks. Kaspersky Lab highlights the evolving capabilities of the ToddyCat group and stresses that email remains a primary target for attackers.