"Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems," Kaspersky researchers wrote — a concise description of how a new ToddyCat capability works in real environments.
The STRD technique and the Umbrij tool
Kaspersky attributes a new automation to the ToddyCat APT: a .NET DLL called Umbrij that implements a technique the researchers name Shadow Token via Remote Debug (STRD). Umbrij targets Chromium-based browsers and leverages an already-authenticated Gmail session in a copied profile to obtain an OAuth authorization code. The tool then exchanges that code for an access token and uses Google APIs to reach corporate email and related cloud resources.
DLL sideloading and execution vectors used to launch Umbrij
Umbrij was observed being launched via DLL sideloading from digitally signed executables the attackers abused to hide malicious activity. The legitimate files identified as being exploited include:
- BDSubWiz.exe (Bitdefender ConnectAgent) — insecurely loading log.dll
- VSTestVideoRecorder.exe (Visual Studio test tool) — insecurely loading Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll
- GoogleDesktop.exe (discontinued Google Desktop Search) — insecurely loading GoogleServices.dll
Kaspersky’s telemetry showed multiple file paths used for the sideloaded DLLs (for example, C:\Users\Public\BDS.exe loading C:\Users\Public\log.dll and c:\windows\temp\GoogleDesktop.exe loading c:\windows\temp\GoogleServices.DLL). The Umbrij DLLs themselves were obfuscated with ConfuserEx and detected by Kaspersky under HEUR:Trojan-PSW.MSIL.Umbrij.gen and related verdicts.
How Umbrij obtains an OAuth authorization code
The tool prepares a copied browser profile, then launches Chrome and/or Edge in headless mode with a remote debugging port and the copied profile directory. Umbrij uses Puppeteer Sharp to connect to the browser’s DevTools interface, navigates the account-selection and permission flows on accounts.google.com, and simulates the clicks that approve broad scopes (mail, drive, contacts and others).
Crucial technical details from the observed flow: the initial OAuth request used a client_id value of 279448736670 (Google Workspace Migration for Microsoft Outlook, GWMMO) but Umbrij can switch that value to 1095133494869 (Google Workspace Sync for Microsoft Outlook, GWSMO) with the -sync parameter. The tool intentionally omits several parameters that legitimate clients include — for example, code_challenge (PKCE) and state — and sets redirect_uri to plain http://localhost, allowing it to extract the code parameter directly from the GET request returned to the local address.
Operational artifacts, logging and example behavior
Umbrij enumerates browser profiles by reading the Local State JSON and looks for user_name entries that contain email addresses. It copies IndexedDB, Local Storage, Network, Login Data, Preferences, Secure Preferences and Web Data into a BackupFiles directory and can force-copy locked files. The tool duplicated an explorer.exe token to run in a user’s context (T1134.003) unless instructed otherwise via command-line switches like -runas-currentuser or -user.
Kaspersky published an example log produced by Umbrij showing a debugging port set to 11111, detection of a Profile 4 associated with an email address, creation of a browser process (pid 3108), and the captured authorization code fragment. The tool can also save a PDF snapshot of the permission confirmation page when an error occurs and can produce profile PDFs by navigating to chrome://profile-internals or edge://profile-internals.
Detection, mitigation and concrete steps for defenders
Kaspersky recommends monitoring three practical detection areas observed in the attacks:
- DLL sideloading: watch for unexpected image loads of known DLL names when initiated by the legitimate files identified above. Kaspersky provided a detection rule example titled "Possible Dll Hijacking Of Microsoft VisualStudio QualityTools dll" (id 246f1409-2993-46f6-9b77-e447a327df5d).
- Browser launch arguments: flag Chromium-based browsers launched with --remote-debugging-port together with --headless. Kaspersky published a rule named "Launching Chrome With Debug Parameters" (id f072803f-3cf4-4537-82e6-e8b3a201d99f).
- Third-party OAuth connections: review Google Account "Third-party apps & services" at https://myaccount.google.com/connections and revoke GWMMO/GWSMO access if those tools are not legitimately used by the organization.
As technical mitigations, Kaspersky recommends disabling Chromium developer tools for non-developer hosts by setting the DeveloperToolsAvailability policy to 0x00000002 at HKLM\Software\Policies\Google\Chrome\DeveloperToolsAvailability and restarting the browser. The researchers note that this blocks automated STRD flows but does not prevent an attacker working through the browser GUI manually.
What this means for Google account holders and enterprise security teams
For Google account holders: log out of Google sessions when finished and review connected apps at the Connections page; immediate revocation of unused GWMMO/GWSMO entries invalidates potentially compromised tokens. For enterprise security teams: add detections for the specific DLL-loading behaviors and headless remote-debug launches Kaspersky documents, audit installed applications that can be abused for DLL sideloading, and collect logs that surface the copied-profile and headless-browser patterns described above.
ToddyCat’s Umbrij shows a focused effort to automate OAuth theft by abusing browser debugging interfaces and sideloaded binaries. The practical defenses Kaspersky recommends — monitoring DLL loads, flagging headless debug launches, and auditing OAuth app access — are concrete steps organizations can take now to reduce exposure.
Original Kaspersky report: ToddyCat: your hidden email assistant. Part 2
