ToddyCat, a persistent threat actor, has deployed a new malware family called Umbrij to compromise Gmail accounts by abusing OAuth authentication mechanisms and Google APIs. The malware bypasses traditional password-based security by obtaining legitimate API credentials, granting attackers direct access to email correspondence without triggering standard login alerts.
Kaspersky researchers discovered that ToddyCat deliberately targeted corporate Gmail environments in this campaign. The attack chain relies on OAuth token theft and API abuse rather than credential theft, making detection difficult for organisations relying on standard email security controls. Once Umbrij establishes API access, threat actors can read, forward, and exfiltrate emails while remaining invisible to the target organisation.
The malware's technical approach exploits a fundamental trust model. OAuth tokens issued for legitimate applications grant Umbrij the same permissions as the compromised user, allowing complete email access through programmatic means. This bypasses multi-factor authentication and modern email gateway defences that focus on login anomalies. Organisations receive no unusual login notifications because no interactive login occurs.
ToddyCat's focus on API-based compromise reflects a broader trend among advanced threat actors. Direct API access provides persistence, stealth, and scalability that traditional email compromise techniques cannot match. The malware persists across password changes and email security tool updates, as long as the compromised OAuth token remains valid.
Security teams must now monitor API activity alongside traditional email access logs. Standard indicators like unusual login locations or timing prove useless against API-based attacks. Organisations should implement API token rotation policies, restrict API scopes assigned to applications, and deploy anomalous API usage detection.
Umbrij's emergence demonstrates ToddyCat's technical sophistication. The group previously targeted telecommunications and government sectors. This campaign against corporate Gmail indicates expansion into broader enterprise environments where email compromise yields espionage value and financial gain.
