Skip to content

ToddyCat Deploys Umbrij Malware for Unauthorized Gmail Access via Google API

Bottom Line: ToddyCat deploys Umbrij malware to compromise Gmail accounts through API abuse rather than traditional methods.

The threat group ToddyCat is deploying a new malware called Umbrij to gain access to Gmail mailboxes via the Google API. Kaspersky documents that the attackers are specifically compromising corporate email communications through API abuse.

The Umbrij malware was discovered by Kaspersky in a recent analysis of the ToddyCat campaign. The core objective is unauthorized access to Gmail accounts of corporate targets by exploiting the Google API.

Rather than using traditional phishing or brute-force methods, the attackers focus on compromising API access. This allows them to bypass Gmail’s security mechanisms and access emails directly. The technique leverages OAuth mechanisms to authenticate with the Google API.

For CISOs, this is a critical finding: modern threat groups are shifting their attack surface to the API layer. The implication is that traditional email security systems and password-based defenses are insufficient. Special attention should be paid to unexplained API access, unusual authentication patterns, and OAuth token abuse. Organizations should review their API access controls and implement or strengthen logging for Google API activities.


Source: thehackernews.com · Published 2 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.2.

Share on: