Published on July 3, 2026

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API


Severity

Medium

Detail

Researchers have identified a new malware called Umbrij, used by the advanced persistent threat (APT) group ToddyCat to compromise corporate Gmail accounts through Google’s OAuth API. Rather than stealing passwords directly, the malware abuses an active Gmail session to obtain OAuth authorization tokens, allowing attackers to access email and other Google Workspace resources without requiring user credentials.

The campaign highlights a sophisticated approach to email compromise by leveraging legitimate browser functionality and Google APIs.

How?

The attack begins after ToddyCat gains access to a Windows system and executes Umbrij through DLL sideloading using legitimate signed applications, including components from Bitdefender, Microsoft Visual Studio, or the discontinued Google Desktop application. The malware is launched via a scheduled task disguised as legitimate security software to reduce suspicion.

Once executed, Umbrij duplicates the logged-in user’s security token and locates Chrome or Microsoft Edge user profiles. It copies browser profile data, including cookies, authentication information, and configuration files, into a temporary directory before launching the browser in headless mode using the copied profile.

Leveraging the existing authenticated Gmail session, Umbrij connects to the browser through a remote debugging port using Puppeteer. It then initiates an OAuth authorization request, automatically selects the logged-in Google account, grants the requested permissions, and captures the returned OAuth authorization code.

The stolen authorization code is later exchanged for an OAuth access token, allowing the attackers to access Gmail and other Google Workspace services—including Google Drive, Contacts, Calendar, and Tasks—through Google’s APIs without needing the victim’s password. Throughout the process, Umbrij records detailed execution logs and stores the captured authorization code for later exfiltration by the attackers.

Conclusion

Umbrij demonstrates how advanced threat actors are increasingly targeting cloud authentication mechanisms instead of traditional credential theft. By abusing legitimate OAuth workflows and authenticated browser sessions, ToddyCat can gain persistent access to corporate email and Google Workspace resources while minimizing the likelihood of detection.

Organizations should monitor for suspicious browser launches in headless mode, unusual remote debugging activity, and unauthorized OAuth application grants. Security teams should regularly review Google Workspace OAuth permissions, revoke unused applications such as Google Workspace Migration for Microsoft Outlook or Google Workspace Sync for Microsoft Outlook where appropriate, and monitor for abnormal API access to detect potential account compromise.

Source

https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html