securityonline.info 7/3/2026, 8:13:08 AM · external

ToddyCat APT hijacks corporate Gmail via Umbrij OAuth theft

ToddyCat APT hijacks corporate Gmail via Umbrij OAuth theft
Developing story outage 3 articles tracked
ToddyCat APT uses Umbrij malware to hijack corporate Gmail via OAuth
CyberSIXT Evidence Panel Source marked as original reporting
Threat Actor

SECURITY analysts have identified the ToddyCat APT group utilizing the Umbrij tool to hijack corporate Gmail accounts, bypassing standard security measures through OAuth token theft. This malware operates in headless mode to conduct unauthorized access to enterprise networks. Key actions include exploiting DLL sideloading to run silently, using the Google API to request extensive permissions while mimicking legitimate applications, and maintaining ongoing access to sensitive information.

Researchers warn that the impact on compromised organizations can be severe, with advice for security teams to monitor for unusual activities and audit OAuth applications.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline