All incidents

ToddyCat APT uses Umbrij malware to hijack corporate Gmail via OAuth

outageopenJun 30, 2026 — Jul 3, 2026
ToddyCat APT uses Umbrij malware to hijack corporate Gmail via OAuth

TODDYCAT APT has been observed using a new tool called Umbrij to steal OAuth tokens and gain access to corporate Gmail accounts according to researchers. The campaign started on 30 June 2026 and was still active as of 3 July 2026, targeting enterprises worldwide.

Umbrij launches a Chromium based browser in headless mode through DLL sideloading, allowing it to run without a visible window as detailed in recent analysis. It then uses a technique labelled Shadow Token via Remote Debug (STRD) to request OAuth tokens via the Google API, mimicking legitimate applications to obtain broad permissions.

The malware abuses the Google API scope to read, send and delete email, and can also access Drive and Calendar data according to the threat intelligence report. Researchers note that the abuse of legitimate API calls makes detection difficult, as the traffic appears normal.

The activity has been linked to the ToddyCat APT group, which has previously conducted cyber espionage campaigns against government and private sector targets. No public CVE has been assigned to the behaviour, reflecting its reliance on abuse of trusted interfaces rather than a software vulnerability.

Security teams should monitor endpoint processes for unusual DLL loading events and for headless Chromium instances that lack a user interface. Auditing authorised OAuth applications in Google Workspace and revoking any unknown or overly permissive grants is essential.

Disabling developer tools in browsers can reduce the effectiveness of the STRD technique, and encouraging users to log out of Google accounts when not in use limits the window of abuse. Continuous monitoring of login locations and app activity helps spot anomalous access early.

Intelligence briefing updated Jul 3, 2026

ToddyCat
Timeline Coverage

Swipe to explore timeline