ToddyCat APT’s Umbrij Tool Reads Corporate Gmail via OAuth Silently

Kaspersky attributed Umbrij to ToddyCat APT, a .NET tool that silently reads corporate Gmail via OAuth without triggering login alerts or standard security notifications.
Table of Contents
    Add a header to begin generating the table of contents

    Kaspersky disclosed Umbrij, a .NET-based tool attributed to the ToddyCat APT group that silently accesses corporate Gmail accounts through Google’s OAuth 2.0 authorization flow, reading organizational email correspondence without triggering login notifications or standard account security alerts. The tool was uncovered during a Kaspersky threat hunting operation and represents a new addition to ToddyCat’s documented toolkit for targeting government and military organizations.

    Umbrij’s Attack Chain: From Fake Kaspersky Scheduled Task to Gmail API Access

    ToddyCat deploys Umbrij through a scheduled task on the victim’s machine that impersonates Kaspersky security software — a detail that suggests deliberate selection of a trusted brand name to reduce suspicion during persistence. The scheduled task uses DLL side-loading to execute the malicious .NET payload, a technique that launches the attacker’s code within a process that carries the appearance of legitimate software.

    Once active, Umbrij connects to the victim’s web browser in headless mode via a remote debugging port. Headless browser debugging is a standard developer feature in modern browsers, enabling automated testing and scripting of browser sessions without displaying a window to the user. Umbrij repurposes this capability to issue API calls through the victim’s authenticated browser session rather than through separate attacker-controlled credentials.

    How Umbrij Extracts an OAuth Token from the Victim’s Own Browser Session

    Using the headless debugging connection, Umbrij initiates Google’s OAuth 2.0 authorization flow within the browser session, where the victim is already logged into their Google account. It obtains an authorization code from Google’s OAuth endpoint, then exchanges that code for an access token. With the access token in hand, Umbrij queries the Gmail API to read the victim’s email correspondence, using a request pattern that is structurally identical to a legitimate third-party application accessing Gmail through an authorized OAuth grant.

    Three variants of Umbrij were recovered, showing progressive development across iterations. The earliest variant performs basic email access. Later variants add helper functions for debugging, the ability to enumerate multiple browser profiles on the same machine to identify the correct account, and selective targeting logic to focus on specific email accounts rather than accessing every profile present on the system. The progression from basic to selective targeting indicates active refinement aimed at reducing noise and improving operational precision.

    Why Umbrij’s OAuth Method Bypasses Standard Email Security Monitoring

    The attack’s core evasion value lies in what it does not do. Traditional email account compromise involves stolen passwords, phishing credentials, or session hijacking — all of which can trigger authentication alerts, impossible travel detections, or failed login alarms. Umbrij generates none of those signals.

    No password is stolen or transmitted. No login attempt occurs from an unfamiliar IP address. Google’s security notification system does not fire because the access uses an OAuth token granted within the victim’s own authenticated browser session, from the victim’s own machine. From Google’s perspective, an authorized application is accessing the Gmail API using a valid token derived from a session that originated on the victim’s device.

    ToddyCat’s Documented Focus on Government and Military Email Intelligence

    ToddyCat is a Chinese-linked advanced persistent threat that Kaspersky has documented targeting government and military organizations in Europe and Asia. The group’s operational objectives center on intelligence collection from organizations involved in defense, government administration, and related sectors.

    Umbrij fits that pattern directly. Corporate email access without triggering detection allows ToddyCat operators to read organizational correspondence over an extended period — collecting intelligence on personnel, policy discussions, planned actions, and inter-agency communications without the target organization’s security team receiving any alert that their email is being read. The absence of detectable signals means an Umbrij-enabled intrusion can persist for months without triggering a response.

    Audit Actions for Organizations Using Gmail for Corporate Communications

    The Umbrij disclosure highlights a detection gap in standard email security tooling. Organizations that have deployed Microsoft Defender, Google Workspace security monitoring, or third-party email security gateways may have no visibility into OAuth token grants made through the victim’s own browser session on the victim’s own machine.

    Kaspersky recommends that organizations using Gmail for corporate communications audit OAuth application grants across their domain — specifically reviewing any grants made to unrecognized or unregistered applications, which could represent Umbrij’s OAuth token exchange. Security teams should also monitor endpoint logs for the creation of scheduled tasks impersonating security software vendor names and for unusual headless browser process creation events that occur outside expected developer or automation workflows. Any scheduled task found side-loading a DLL while impersonating a security product should be investigated as a potential Umbrij deployment.

    Related Posts