A Kaspersky-tracked espionage group has automated Gmail account takeover at scale, bypassing passwords entirely by weaponizing Google's own authentication flow.

Intelligence Lead

Kaspersky's Securelist division has disclosed Umbrij, a new .NET-based tool linked to the China-nexus advanced persistent threat ToddyCat, which hijacks Google OAuth authorization flows to seize full access to Gmail, Drive, Calendar, and Contacts without ever touching a password. The technique, designated Shadow Token via Remote Debug (STRD), automates what was previously manual credential theft, materially increasing the group's operational tempo against government, defense, and corporate targets across Europe and Asia. The disclosure confirms state-linked actors are shifting from password theft toward abuse of trusted authentication infrastructure, a harder-to-detect vector that evades most conventional security controls, including multi-factor authentication.

Situation Report

Kaspersky assesses with high confidence that ToddyCat, an APT active since at least 2020 and previously documented targeting high-profile entities in Europe and Asia, has deployed Umbrij across a new wave of intrusions against corporate email infrastructure. The tool is obfuscated with ConfuserEx, a technique reported independently by Cyberpress, complicating reverse-engineering and slowing defender attribution. Delivery follows ToddyCat's established pattern of DLL sideloading, with Umbrij hidden inside trusted, digitally signed executables including Bitdefender's ConnectAgent, Microsoft Visual Studio testing tools, and the long-discontinued Google Desktop Search application.

Once resident, Umbrij scans Chrome and Microsoft Edge profile directories for authenticated Google accounts, identifying browser profiles tied to Gmail addresses and copying login data, cookies, local storage, IndexedDB databases, and session files into a temporary staging location. It then launches a headless instance of the victim's browser via the Chrome DevTools remote debugging interface, driving the session with Puppeteer Sharp automation to complete a spoofed Google OAuth consent flow that impersonates legitimate Google Workspace Migration and Sync tools for Microsoft Outlook.

The spoofed authorization request strips PKCE verification, alters redirect destinations, and requests sweeping scopes covering Gmail, Drive, Calendar, Contacts, Tasks, user profile data, and administrative services. Because the resulting access token is issued through Google's legitimate infrastructure, the compromise leaves minimal forensic footprint and survives password resets, a property that distinguishes STRD from conventional phishing or credential-stuffing campaigns.

Kaspersky products detect the tool under the verdict HEUR:Trojan-PSW.MSIL.Umbrij.gen and have published defensive guidance: administrators should audit connected third-party applications at myaccount.google.com/connections and revoke unused Google Workspace Migration and Sync grants, which immediately invalidates any tokens already issued to the attacker. Organizations are also advised to restrict Chromium remote-debugging flags for non-technical staff and to monitor for anomalous headless browser process trees.

Background & Context

ToddyCat was first documented publicly by Kaspersky in 2022 under the title "Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia." The group's prior toolkit, reported in 2024, focused on exfiltrating email data directly from Outlook via similar DLL-sideloading techniques. Kaspersky has consistently declined formal nation-state attribution, characterizing ToddyCat by tradecraft and target set rather than sponsor, though its focus on government and defense-adjacent organizations across the Europe-Asia corridor is consistent with state-directed collection priorities.

Umbrij's emergence fits a broader tradecraft migration observed across the espionage landscape through 2025 and into 2026: state-linked operators are increasingly abusing OAuth and other token-based authentication mechanisms rather than harvesting passwords outright, because tokens issued through legitimate identity providers bypass password resets and, in many configurations, multi-factor authentication itself. Similar abuse patterns have previously surfaced against Microsoft 365 and enterprise single sign-on providers.

This disclosure also lands against a backdrop of sustained state-sponsored cyber pressure on Western-aligned infrastructure, with Russian-linked actors separately reported maintaining persistent operations against Ukrainian and NATO energy, logistics, and communications networks. Corporate email remains one of the highest-value collection targets in this environment, functioning as a gateway to contracts, personnel records, and downstream credentials.

Analysis & Assessment

Umbrij's automation of a previously manual attack chain signals ToddyCat's intent to scale Gmail compromise beyond a small number of hand-picked targets, likely widening the victim pool among government contractors, defense-adjacent firms, and multinational corporations with permissive OAuth app-consent policies. The group's use of ConfuserEx obfuscation and legitimate signed binaries for sideloading suggests continued investment in evading both signature-based detection and human analyst review.

More significantly, the STRD technique demonstrates that identity infrastructure itself, not just credentials, is now a primary espionage target. Organizations that treat password strength and MFA enrollment as sufficient controls are exposed to this vector; token lifecycle management, OAuth consent-screen governance, and monitoring for anomalous application grants are becoming front-line defenses rather than optional hardening. Assess moderate-to-high likelihood that comparable Shadow-Token-style tooling appears against Microsoft 365 and other SSO-dependent platforms within the next six to twelve months, as the underlying technique is platform-agnostic.

Formal attribution to a specific state sponsor remains unconfirmed. Kaspersky's caution here is consistent with its historical posture on ToddyCat, and independent corroboration from Western government CERTs would materially raise confidence in both the sponsor assessment and the true scope of victimization, which has not yet been publicly disclosed in full.