ToddyCat: your hidden email assistant. Part 2
ToddyCat APT developed a tool called Umbrij that automates the theft of Google OAuth authorization codes by launching Chromium-based browsers in headless mode with remote debugging ports enabled. The tool copies the victim's browser profile to a backup directory, launches the browser invisibly with the stolen session, and uses Puppeteer Sharp to automate the Google OAuth consent flow using legitimate Google Workspace Migration/Sync client IDs. The resulting authorization code is exfiltrated and exchanged for an access token, enabling API-level access to the victim's Gmail, Drive, Calendar, and Contacts without traditional credential theft.
- md51ab58838e5790efb22f2d35ab98c0b7dUmbrij version a — malicious .NET DLL sideloaded via legitimate executables to steal Google OAuth authorization codes
- md522aaeb4946ba6d2f2e27feb7dbb295deUmbrij version b — malicious .NET DLL with additional features including domainAd and savepdf parameters
- md528cb7b261f4eb97e8a4b3b0d32f8def1Legitimate BDSubWiz.exe (Bitdefender ConnectAgent component) leveraged for DLL sideloading — insecurely loads log.dll
- md53432dd9ac0df80ef86eb80bd080f839bUmbrij version a — malicious .NET DLL used in ToddyCat OAuth token theft campaign
- md53d3a621f852c42d97fd7260681e42508Umbrij version a — malicious .NET DLL used in ToddyCat OAuth token theft campaign
- md59f5f2f0fb0a7f5aa9f16b9a7b6dad89fLegitimate GoogleDesktop.exe leveraged for DLL sideloading — insecurely loads GoogleServices.DLL
- md5a7d7d6c4c3f227f7117261c63b9e23a9Umbrij version a — malicious .NET DLL used in ToddyCat OAuth token theft campaign
- md5bae82a15d1dbfb024617b9b56a8e5f66Legitimate VSTestVideoRecorder.exe (Visual Studio testing component) leveraged for DLL sideloading — insecurely loads Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll
- md5f169d6d172dfb775895a5e2b1540c854Umbrij version c — malicious .NET DLL with lport parameter replacing debugport
- md5f61fbfb7aa1cd5dc8f70b055b51563e2Umbrij version b — malicious .NET DLL used in ToddyCat OAuth token theft campaign
Detection / Hunteropenrouter
What Happened
A sophisticated hacking group called ToddyCat has built a new tool that silently steals access to your Google email and cloud files. The tool works by secretly launching your web browser in the background, using your already-logged-in Google session to request permission to read your emails, files, and contacts, and then automatically clicking the 'Allow' button without you ever seeing it. The attackers disguise the tool as legitimate software from companies like Bitdefender and Google to avoid detection by security programs. Anyone who uses Google Workspace for work email and stays logged into their Google account in their browser could be affected. This matters because the attackers gain full access to corporate email and cloud storage without needing your password. To protect yourself, you should regularly log out of your Google account when finished working, check your Google Account settings for unfamiliar app permissions, and ensure your security software is up to date.
Key Takeaways
- ToddyCat APT developed a new .NET tool called Umbrij that automates theft of Google OAuth authorization codes by launching Chromium-based browsers in headless mode with remote debugging enabled
- The technique, dubbed Shadow Token via Remote Debug (STRD), abuses legitimate Google Workspace Migration/Sync client IDs to request broad API scopes (Gmail, Drive, Calendar, Contacts, Admin Directory) without PKCE protection
- Umbrij is delivered via DLL sideloading using legitimate signed executables from Bitdefender, Visual Studio, and Google Desktop, and is obfuscated with ConfuserEx
- Attackers masquerade persistence by creating a scheduled task named KasperskyEndpointSecurityEDRAvp to impersonate legitimate security product activity
- Defenders can detect this by monitoring for browsers launched with --remote-debugging-port and --headless arguments, DLL sideloading of known vulnerable executables, and auditing Google Account third-party app connections
Affected Systems
- Windows endpoints with Chromium-based browsers (Google Chrome, Microsoft Edge) installed
- Users with active Gmail/Google Workspace sessions who have not explicitly logged out
- Organizations using Google Workspace for corporate email
Attack Chain
ToddyCat deploys Umbrij by placing a legitimate signed executable (e.g., BDSubWiz.exe, GoogleDesktop.exe, VSTestVideoRecorder.exe) alongside a malicious DLL in directories such as C:\Users\Public or C:\Windows\Temp, then triggers execution via a scheduled task named KasperskyEndpointSecurityEDRAvp. The signed executable loads the malicious DLL via sideloading; Umbrij then duplicates the explorer.exe token for user impersonation, copies the victim's Chromium browser profile files to a BackupFiles directory, and launches the browser in headless mode with a remote debugging port. Using Puppeteer Sharp, Umbrij connects to the browser's debugging port, navigates to Google's OAuth consent flow using legitimate Google Workspace Migration/Sync client IDs, and automates clicking through account selection and permission grants to capture an OAuth authorization code, which is logged and later exfiltrated for API-level access to the victim's Gmail, Drive, Calendar, and Contacts.
Detection Availability
- YARA Rules: No
- Sigma Rules: Yes
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Sigma rules (Kaspersky)
The article includes two Sigma rules: one detecting DLL hijacking of Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll loaded from unexpected locations, and one detecting Chromium-based browsers launched with --remote-debugging-port and --headless command-line arguments. Both are authored by Kaspersky and target Windows image_load and process_creation log sources respectively.
Detection Engineering Assessment
EDR Visibility: High — The attack involves process creation, DLL loading from unexpected paths, token manipulation of explorer.exe, browser launches with unusual command-line arguments, and file copy operations — all of which are well-covered by modern EDR solutions with process telemetry and image load events. Network Visibility: Medium — The OAuth requests go to legitimate Google infrastructure (accounts.google.com, googleapis.com), making network-based detection difficult without deep inspection of request parameters like missing PKCE, modified redirect_uri, or abnormal scope combinations. The browser debugging port connection is localhost-only and not visible on the network. Detection Difficulty: Moderate — The DLL sideloading and browser launch with debug parameters are straightforward to detect with process and image load telemetry. However, the OAuth token theft itself occurs entirely within legitimate Google infrastructure using legitimate client IDs, making it difficult to distinguish from normal user activity without analyzing specific OAuth request parameters.
Required Log Sources
- Windows process creation events (Sysmon Event ID 1 or equivalent EDR process telemetry)
- Windows image load / DLL load events (Sysmon Event ID 7 or EDR module load telemetry)
- Windows scheduled task creation events (Event ID 4698)
- EDR token manipulation / impersonation telemetry
- Google Workspace Admin audit logs for OAuth token grants
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for Chromium-based browser processes launched with both --remote-debugging-port and --headless command-line arguments on user workstations, which would indicate automated browser control consistent with T1528 | Process creation events with command-line arguments (Sysmon EID 1 or EDR process telemetry) | Execution / OAuth token acquisition | Medium — legitimate web developers and QA automation engineers may launch browsers with these flags for testing; consider filtering by user role or department |
| Consider hunting for DLL loads of Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll, log.dll, or GoogleServices.DLL from non-standard directories such as C:\Windows\Temp, C:\Users\Public, or C:\Windows\Vss, which would indicate DLL sideloading activity | Image load / module load events (Sysmon EID 7 or EDR module load telemetry) | Initial execution / defense evasion | Low — these specific DLLs loading from Temp or Public directories is highly unusual and unlikely in normal operations |
| Consider hunting for scheduled tasks with names mimicking security product processes (e.g., containing 'Kaspersky', 'EDR', 'Security', 'Endpoint') that were not created by the respective security product's management console | Windows scheduled task creation events (EID 4698) and task scheduler operational logs | Persistence / execution | Low — security product-named tasks created outside of the product installer are highly suspicious |
| Consider hunting for processes that duplicate tokens from explorer.exe and subsequently launch browser processes, which would indicate token impersonation followed by OAuth session hijacking | EDR token manipulation telemetry, process ancestry and parent-child relationships | Execution / privilege escalation | Medium — some legitimate software may impersonate explorer.exe tokens; focus on combinations with browser launches in headless mode |
| Consider auditing Google Workspace admin logs for OAuth token grants using Google Workspace Migration for Microsoft Outlook (client_id 279448736670) or Google Workspace Sync for Microsoft Outlook (client_id 1095133494869) on accounts where these tools are not deployed | Google Workspace Admin audit logs, Google Account third-party app connections | Credential access / exfiltration | Medium — organizations legitimately using GWMMO or GWSMO will generate these events; correlate with endpoint telemetry to identify suspicious grants |
Control Gaps
- Network-based detection cannot identify the OAuth token theft as all requests target legitimate Google infrastructure
- Traditional email security gateways will not detect API-level email access via OAuth tokens since no login or credential submission occurs
- Application allowlisting may not flag the attack if the sideloaded legitimate executables are already approved
- Browser session monitoring tools may not capture headless browser instances launched with copied profile directories
Key Behavioral Indicators
- Chromium browser process launched with --remote-debugging-port and --headless arguments simultaneously
- DLL loads of log.dll, GoogleServices.DLL, or Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll from C:\Windows\Temp, C:\Users\Public, or C:\Windows\Vss
- Scheduled task named KasperskyEndpointSecurityEDRAvp on systems without corresponding Kaspersky product
- explorer.exe token duplication followed by browser process creation in headless mode
- Creation of BackupFiles directories under %LOCALAPPDATA%\Google\Chrome\ or %LOCALAPPDATA%\Microsoft\Edge\
- Browser profile file copy operations (IndexedDB, Login Data, Local Storage) to non-standard directories
False Positive Assessment
- Medium — The DLL sideloading detections may trigger on legitimate use of the named executables in development or security product environments. The browser debug parameter detection will generate false positives for web developers and QA automation engineers. The OAuth token grants using GWMMO/GWSMO client IDs will be true positives only if those tools are not legitimately deployed; organizations using them will need to correlate with endpoint telemetry.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider auditing Google Account connections at https://myaccount.google.com/connections for all potentially affected users and revoking access for Google Workspace Migration for Microsoft Outlook or Google Workspace Sync for Microsoft Outlook if those tools are not deployed in your environment.
- Consider hunting your EDR or SIEM for the seven Umbrij MD5 hashes listed in the article and for the scheduled task name KasperskyEndpointSecurityEDRAvp across all endpoints.
- If your EDR supports host isolation, consider isolating any endpoints where Umbrij DLLs or the masquerading scheduled task are identified, pending further investigation.
Infrastructure Hardening
- Consider configuring the DeveloperToolsAvailability Chrome policy to 0x00000002 under HKLM\Software\Policies\Google\Chrome\DeveloperToolsAvailability for users who do not require web development tools, which disrupts the automated OAuth code retrieval.
- Evaluate whether your organization can restrict or monitor OAuth token grants for Google Workspace Migration/Sync client IDs via Google Workspace Admin Console application controls.
- Consider deploying the Sigma rules referenced in the article to your SIEM or EDR for DLL sideloading detection and browser debug parameter detection, if your tooling supports Sigma import.
- If applicable, consider disabling or restricting the Chromium remote debugging protocol via group policy for non-developer user populations.
User Protection
- Consider instructing users to explicitly log out of their Google accounts in browser sessions when work is complete, as the attack relies on maintaining an active authenticated session.
- Evaluate whether browser session isolation or separate browser profiles for corporate Google Workspace access could reduce the attack surface.
- If supported by your endpoint tooling, consider alerting on any browser process launched with --remote-debugging-port on non-developer workstations.
Security Awareness
- Consider incorporating guidance into existing security awareness programs about the importance of logging out of cloud email sessions rather than just closing the browser window.
- If applicable to your organization, consider educating users about reviewing their Google Account third-party app permissions periodically.
- Consider adding awareness content about how attackers can abuse legitimate-looking application names and security product names to disguise malicious activity.
MITRE ATT&CK Mapping
- T1574.001 - DLL Side-Loading
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1036 - Masquerading
- T1134.003 - Access Token Manipulation: Make and Impersonate Token
- T1528 - Steal Application Access Token
- T1218 - System Binary Proxy Execution
Additional IOCs
- File Hashes:
9F5F2F0FB0A7F5AA9F16B9A7B6DAD89F(MD5) - Legitimate GoogleDesktop.exe leveraged for DLL sideloading — insecurely loads GoogleServices.DLL28CB7B261F4EB97E8A4B3B0D32F8DEF1(MD5) - Legitimate BDSubWiz.exe (Bitdefender ConnectAgent component) leveraged for DLL sideloading — insecurely loads log.dllBAE82A15D1DBFB024617B9B56A8E5F66(MD5) - Legitimate VSTestVideoRecorder.exe (Visual Studio testing component) leveraged for DLL sideloading — insecurely loads Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll
- File Paths:
C:\Users\Public\BDS.exe- Attacker-dropped copy of BDSubWiz.exe used as DLL sideloading host for UmbrijC:\Users\Public\log.dll- Attacker-dropped malicious DLL (Umbrij) loaded via DLL sideloading by BDS.exeC:\Windows\Temp\BDS.exe- Attacker-dropped copy of BDSubWiz.exe in Windows Temp for DLL sideloadingC:\Windows\Temp\log.dll- Attacker-dropped malicious DLL (Umbrij) in Windows Temp loaded via DLL sideloadingC:\Windows\Vss\bds.exe- Attacker-dropped copy of BDSubWiz.exe in Volume Shadow Copy directory for DLL sideloadingC:\Windows\Vss\log.dll- Attacker-dropped malicious DLL (Umbrij) in Vss directory loaded via DLL sideloadingC:\Windows\Temp\GoogleDesktop.exe- Attacker-dropped GoogleDesktop.exe in Windows Temp used as DLL sideloading hostC:\Windows\Temp\GoogleServices.DLL- Attacker-dropped malicious DLL (Umbrij) loaded via GoogleDesktop.exe sideloadingC:\Windows\Temp\VSTestVideoRecorder.exe- Attacker-dropped Visual Studio test recorder in Windows Temp used as DLL sideloading hostC:\Windows\Temp\Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll- Attacker-dropped malicious DLL (Umbrij) loaded via VSTestVideoRecorder.exe sideloading
- Command Lines:
- Purpose: Executing Umbrij via DLL sideloading with target user selection and deep search parameters | Tools:
BDSubWiz.exe,log.dll| Stage: Initial execution / DLL sideloading |"c:\Users\Public\BDSubWiz.exe" -regex <name> -deepsearch - Purpose: Launching Chromium-based browser in headless mode with remote debugging port to automate OAuth token theft | Tools:
chrome.exe,msedge.exe| Stage: OAuth authorization code acquisition
- Purpose: Executing Umbrij via DLL sideloading with target user selection and deep search parameters | Tools:
- Other:
KasperskyEndpointSecurityEDRAvp- Malicious scheduled task name created by attackers to masquerade as legitimate Kaspersky security product activity and launch Umbrij via DLL sideloading