Skip to main content

Kaspersky discovers new ToddyCat tool capable of compromising access to corporate Gmail accounts

30 June 2026

As part of its proactive threat hunting efforts, Kaspersky experts have identified a previously unknown tool used by the APT group ToddyCat. In this campaign, the threat actor targeted victims’ corporate communications hosted in Gmail, with the objective of gaining unauthorized access to email accounts through the service’s API. The malware was designed to attack Windows users, but the technique can potentially be used for other systems.

The attackers developed a new tool, Umbrij, capable of establishing covert connections via a debugging port while disguising its activity as a legitimate process. This approach enables the threat actor to operate with a lower risk of detection and maintain access to compromised environments. The newly identified technique, dubbed Shadow Token via Remote Debug (STRD), affects Chromium-based browsers. 

From the user’s perspective, the attack exploits an existing authenticated Gmail session that remains active in the browser. If the user has not signed out of their Gmail account, the browser retains the corresponding authentication session. By leveraging this condition, attackers launch a browser instance, establish control through a debugging port, and issue requests to Gmail to obtain access to Google Account resources within the context of the preserved user session. This allows the threat actor to abuse an already authenticated session without requiring the user to re-enter credentials.

The actor’s tool is capable of requesting extensive permissions, including full access to a victim’s email, cloud storage, and contacts. To complete the authorization flow, Umbrij automatically interacts with the consent prompt and approves the requested access by clicking the “Allow” button, ultimately obtaining the authentication code required to access the targeted resources.

“We have been monitoring ToddyCat activity for several years and continue to observe the group refining both its tooling and attack techniques. In this latest investigation, we identified a new tool, Umbrij, which further demonstrates the actor’s ongoing efforts to enhance its operational capabilities. When assessing the risks associated with this tool, organizations should recognize that launching a browser with a debugging port enabled is not a normal activity for most users outside of web application development. As a precautionary measure, businesses may consider disabling developer tools in Chromium-based browsers for users who do not require them for their daily work. Doing so can help mitigate the risk posed by this technique and invalidate access associated with potentially compromised tokens,” said Andrey Gunkin, Senior Malware Analyst at Kaspersky.

Previously Kaspersky researchers detailed the group’s campaigns which were aimed at stealing data from web browsers as well as on-premises and cloud-based email services.

For more details about the new APT instrument, visit securelist.com.

To stay safe, Kaspersky experts also recommend businesses:

  • Use all-encompassing solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EPP, EDR and XDR. Depending on your current needs and available resources, you can choose the most relevant solution within this product line and easily migrate to another one if your cybersecurity requirements are changing.
  • Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organization. The latest Kaspersky Threat Intelligence will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.
  • If your company lacks cybersecurity expertise, adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response and/or Incident Response which cover the entire incident management cycle – from threat identification to continuous protection and remediation.

Kaspersky discovers new ToddyCat tool capable of compromising access to corporate Gmail accounts

As part of its proactive threat hunting efforts, Kaspersky experts have identified a previously unknown tool used by the APT group ToddyCat. In this campaign, the threat actor targeted victims’ corporate communications hosted in Gmail, with the objective of gaining unauthorized access to email accounts through the service’s API. The malware was designed to attack Windows users, but the technique can potentially be used for other systems.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date.

Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support.

Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.kaspersky.com.

Related Articles Press Releases