{"id":3920,"date":"2026-06-30T10:04:00","date_gmt":"2026-06-30T10:04:00","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/30\/toddycat-your-hidden-email-assistant-part-2\/"},"modified":"2026-06-30T10:04:00","modified_gmt":"2026-06-30T10:04:00","slug":"toddycat-your-hidden-email-assistant-part-2","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/30\/toddycat-your-hidden-email-assistant-part-2\/","title":{"rendered":"ToddyCat: your hidden email assistant. Part 2"},"content":{"rendered":"
\n

\"\"<\/p>\n

Introduction<\/h2>\n

We continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report<\/a>, we examined the group\u2019s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group\u2019s methods we described previously are effectively detected by EPP and EDR solutions.<\/p>\n

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim\u2019s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.<\/p>\n

In this part of the report, we break down the mechanics of this new attack and analyze the tool that was used to automate it. We\u2019ll also discuss how to detect and defend against this threat.<\/p>\n

Umbrij<\/h2>\n

In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs. Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources. To acquire this token, the threat actors developed a tool called Umbrij and used it to connect to the browser\u2019s management console in headless mode via a remote debugging port. Through a series of requests, they obtained an OAuth authorization code, which they subsequently exchanged for an access token to reach the target resources via the API. We have dubbed this technique Shadow Token via Remote Debug (STRD).<\/p>\n

This attack is viable on Chromium-based browsers. If the user has not logged out of their Gmail account, the browser maintains an active session. The attackers exploit this: they launch the browser, connect via the remote debugging port to take control, and send a request to the Gmail service to grant access to the Google account resources within the context of the user\u2019s saved session.<\/p>\n

During our investigation of this attack, we discovered several versions of the Umbrij tool. These versions included a variety of helper functions designed for debugging, as well as for searching and selecting user accounts within the browser, among other tasks.<\/p>\n

Kaspersky solutions detect this tool with the following verdicts: HEUR:Trojan-PSW.MSIL.Umbrij.gen, HEUR:Trojan.MSIL.Agent.gen, HEUR:Trojan-PSW.MSIL.Agent.gen.<\/p>\n

Execution<\/h3>\n

The Umbrij tool was discovered during a proactive threat hunting operation: a scheduled task, KasperskyEndpointSecurityEDRAvp, was running on a user host, launching a digitally signed file. Kaspersky solutions do not create scheduled tasks with that name; the attackers were attempting to masquerade their malicious activity as a legitimate process.<\/p>\n

The signed file then used the DLL sideloading technique to load the malicious tool.<\/p>\n

\"Umbrij<\/a><\/p>\n

Umbrij execution events within Kaspersky Managed Detection and Response<\/p>\n<\/div>\n

Throughout our observation period, we identified the following legitimate files vulnerable to the DLL sideloading technique that were used to launch Umbrij:<\/p>\n

    \n
  1. BDSubWiz.exe: a component of the Submission Wizard in Bitdefender ConnectAgent, which is used to support connection features and interaction with other Bitdefender services or agents. This file insecurely loads a file named log.dll.<\/li>\n
  2. VSTestVideoRecorder.exe: a component of the video-recording tool used for testing with Visual Studio (VS Test). This executable insecurely loads a file named Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll.<\/li>\n
  3. GoogleDesktop.exe: the discontinued Google Desktop Search application for indexing files and performing quick searches on a local Windows computer. This executable insecurely loads a file named GoogleServices.dll.<\/li>\n<\/ol>\n

    These files were used to load different versions of Umbrij; the same legitimate file could be leveraged to launch more than one variant. In total, we discovered three versions of Umbrij, which we refer to as a<\/code>, b<\/code>, and c<\/code> for convenience.<\/p>\n

    The tool itself is a DLL written in .NET and obfuscated with ConfuserEx, an open-source obfuscator for .NET applications.<\/p>\n

    \"Example<\/a><\/p>\n

    Example of an obfuscated code snippet<\/p>\n<\/div>\n

    Umbrij is managed with the help of parameters passed through a command line at startup, although it is occasionally executed without any parameters. Below are examples of the command lines observed in attacks against users:<\/p>\n

    \"c:UsersPublicBDSubWiz.exe\" -regex <name> -deepsearch\r\nc:windowsvssbds.exe<\/pre>\n
    However, these are not the only parameters the tool can accept and process. During the analysis of its executable code, we discovered additional parameters that vary depending on the version of Umbrij. See the table below for the parameters and their descriptions.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Version<\/strong><\/td>\nCommand<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
    a<\/td>\n-regex <string><\/td>\nUsed in conjunction with the -deepsearch<\/em> parameter. Specifies a substring to search for within the user_name<\/em> field of the user profile file, which typically contains the email address. The tool will utilize the user profile that matches this specified substring<\/td>\n<\/tr>\n
    a<\/td>\n-user <username><\/td>\nSpecifies the system username under which the tool will run<\/td>\n<\/tr>\n
    a<\/td>\n-runas-currentuser<\/td>\nConfigures Umbrij to run within the execution context of the current user<\/td>\n<\/tr>\n
    a<\/td>\n-deepsearch<\/td>\nEnforces additional checks on the user_name<\/em> field in the user profile: verifying that it is not empty and that it contains the substring specified in the -regex<\/em> parameter<\/td>\n<\/tr>\n
    a, b, c<\/td>\n-path <path><\/td>\nSpecifies the full path to the directory containing the browser\u2019s executable file<\/td>\n<\/tr>\n
    a, b, c<\/td>\n-browser <both|msedge|chrome><\/td>\nSpecifies which browser the tool should target: Google Chrome, Microsoft Edge, or both<\/td>\n<\/tr>\n
    a, b, c<\/td>\n-debugport <port><\/td>\nSpecifies the remote debugging port number<\/td>\n<\/tr>\n
    a, b, c<\/td>\n-sync<\/td>\nWhen this parameter is specified in the URL, the value 1095133494869<\/em> replaces 279448736670<\/em> in the permission request<\/td>\n<\/tr>\n
    b<\/td>\n-domainAd<\/td>\nSpecifies the domain name if the user account is a domain account<\/td>\n<\/tr>\n
    b<\/td>\n-savepdf<\/td>\nInstructs Umbrij to save a screenshot of the user profile as a PDF file<\/td>\n<\/tr>\n
    c<\/td>\n-lport<\/td>\nSame as debugport<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Environment preparation<\/h3>\n
    At startup, the tool evaluates several prerequisites required to carry out the attack and performs preparatory actions to subsequently compromise the Gmail account.<\/p>\n
    First, Umbrij verifies the availability of the port that will be designated for browser debugging. To accomplish this, the tool utilizes a function named ChekPortAvailable()<\/code> (original spelling retained), which accepts the target port number as a parameter. It then retrieves information about active connections on the host using the .NET GetActiveTcpConnections()<\/code> function from the System.Net.NetworkInformation<\/code> namespace. The tool iterates through each connection in a loop, comparing the port number to the one it is checking.<\/p>\n
    \"The<\/a><\/p>\n
    The ChekPortAvailable function used to verify open ports<\/p>\n<\/div>\n
    After this, the tool retrieves the user context. It searches the system for the explorer.exe process and duplicates its token, retaining all of its privileges (T1134.003 Access Token Manipulation: Make and Impersonate Token). This is the exact same mechanism used by another tool in the group\u2019s arsenal, TomBerBil, which we covered previously<\/a>.<\/p>\n
    \"The<\/a><\/p>\n
    The ImpersonateWithProcess function used to retrieve user context<\/p>\n<\/div>\n
    By default, Umbrij duplicates the token of the first explorer.exe process it encounters. If multiple users are logged in to the system, the -user <username><\/code> switch can be used to specify the name of the target user whose token to duplicate. If the -runas-currentuser<\/code> switch is specified, the tool will execute within the context of the current user without duplicating any tokens.<\/p>\n
    Next, Umbrij constructs the path to the browser application folder within the user\u2019s local application data repository. To do this, it uses the Environment.SpecialFolder.LocalApplicationData<\/code> command to retrieve the repository directory from the environment variable and appends the directory of the target browser. The tool then searches for the Local State file in the following folders:<\/p>\n