"In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs," Kaspersky said.
What Umbrij is and who it's linked to
Kaspersky reported discovery of a new malware family called Umbrij that ToddyCat — an advanced persistent threat (APT) active since at least 2020 — developed to gain surreptitious access to corporate Gmail accounts via the Google API. The Russian cybersecurity vendor that analyzed the tooling has labeled the core technique Shadow Token via Remote Debug (STRD).
Delivery and execution: signed dropper and DLL side‑loading
Kaspersky said Umbrij was found during a "threat hunting operation" in which a scheduled task impersonating Kaspersky's own software ("KasperskyEndpointSecurityEDRAvp") launched a digitally signed file. That signed file used DLL side‑loading to deploy a rogue Umbrij DLL written in .NET and obfuscated with ConfuserEx.
Three legitimate binaries were abused as side‑loading hosts: BDSubWiz.exe (a Submission Wizard component in Bitdefender ConnectAgent); VSTestVideoRecorder.exe (a testing video recorder for Microsoft Visual Studio); and GoogleDesktop.exe (the discontinued Google Desktop Search application). Regardless of the executable used, the final outcome was the same: the Umbrij DLL runs on the compromised Windows host.
How Umbrij steals OAuth tokens from Chromium-based browsers
Kaspersky lays out a repeatable chain that culminates in the theft of an OAuth authorization code and its exchange for an access token usable against the Google API. Key elements reported include:
- Umbrij verifies a browser debugging port is available and duplicates a logged‑in user's token by locating "explorer.exe" and duplicating the first such process token it finds (or by using a provided -user <username> switch).
- It constructs the path to the browser application folder in the user's local application data and parses the Local State file for Chrome or Edge to enumerate profiles and identify profiles containing a "user_name" field with an email address — a signal the profile is authenticated to Google.
- The tool copies profile data into a BackupFiles folder under %LOCALAPPDATA%\Google\Chrome\ and %LOCALAPPDATA%\Microsoft\Edge\, including IndexedDB, Local Storage, Network, Login Data, Login Data For Account, Preferences, Secure Preferences, and Web Data. A force‑copy mechanism handles files locked by other processes.
- Umbrij locates the browser installation in Program Files, then launches the browser in headless mode using the copied profile so active cookies — including a signed‑in Google session — are applied without requiring interactive authentication.
- Using Puppeteer and the Chrome DevTools Protocol connected via the remote debugging port, the malware issues an OAuth authorization code request to an accounts.google[.]com/o/oauth2/v2/auth/identifier URL that contains a client_id corresponding to a Google migration tool for importing PST and Microsoft Exchange data. The request requests permissions including full access to Gmail, Drive, Contacts, Calendar, and Tasks.
- JavaScript is used to emulate mouse clicks to select the target Google account and grant the requested permissions. The browser session is redirected to a local address and the malware extracts the OAuth authorization code from that redirect.
- Umbrij logs its actions to a file and saves the retrieved authorization code. The operator exfiltrates the log, exchanges the authorization code for an OAuth access token, and uses that token to connect to the Gmail account via the Google API.
Variants, capabilities, and the STRD label
Kaspersky identified three distinct Umbrij versions; some include helper functions for debugging and for searching and selecting user accounts within the browser. The vendor named the end‑to‑end technique Shadow Token via Remote Debug (STRD), emphasizing that the approach leverages a live, authenticated Gmail session in Chromium‑based browsers by controlling the browser over the remote debugging port.
What organizations and users should check now
Kaspersky recommended that organizations review the authorization codes granted to applications at myaccount.google[.]com/connections and look specifically for applications named "Google Workspace Migration for Microsoft Outlook" or "Google Workspace Sync for Microsoft Outlook." If either application is present and not actively used, Kaspersky said revoking its access will invalidate the OAuth tokens and reduce risk.
Andrey Gunkin, senior malware analyst at Kaspersky, summarized the operational impact: "Their new tool, Umbrij, automates the attackers’ attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks but also demonstrates ToddyCat’s strong motivation and advanced technical skills."
Umbrij is a focused, automated effort to convert a live browser session into API access to corporate email; defenders can blunt that pathway by auditing granted OAuth app permissions and removing unused migration tools that request broad scopes. The specific chain — signed dropper, DLL side‑loading, profile copy, headless Chromium control via Puppeteer, and OAuth code extraction — creates multiple points where detection and mitigation can be applied if defenders map these behaviors to their controls and logs.
https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html




