Skip to content

Umbrij: APT Group ToddyCat Hijacks Gmail Sessions via Debugging Ports

In a nutshell: Umbrij exploits Shadow Token techniques via browser debugging ports to hijack active Google sessions and access additional services without re-authentication.

The APT group ToddyCat deploys the new espionage tool Umbrij to gain unauthorized access to Gmail, Google Cloud, and contact resources through Chromium browsers and manipulated sessions. Kaspersky has documented the Windows malware for the first time.

Kaspersky has analyzed a previously unknown tool used by the APT group ToddyCat, named Umbrij. The malware primarily targets Windows systems and enables attackers to access Google accounts, email archives, cloud storage, and contact lists. The underlying technique is designed to be cross-platform.

Umbrij uses a method called Shadow Token via Remote Debug (STRD), which targets Chromium-based browsers. The tool launches a browser instance and gains control over an already active, authenticated Gmail session via a debugging port. In the background, requests are sent to Gmail that exploit the existing session. This allows attackers to access additional Google resources without having to re-enter credentials. The tool can also request extensive permissions and automatically interacts with consent prompts by clicking the “Allow” button. This way, Umbrij obtains the required authentication codes for resource access. Activities via the debugging port are disguised as legitimate processes.

Andrey Gunkin, Senior Malware Analyst at Kaspersky, emphasizes: “We have been observing ToddyCat for years and see continuous improvements in their attack techniques. Organizations should know that browsers with enabled debugging ports are unusual for standard users outside of web development. Accordingly, developer tools in Chromium browsers should be disabled for users who do not need them.”

To mitigate risk, security experts recommend restricting developer tools in Chromium-based browsers to users with actual need. Additionally, organizations should deploy comprehensive security solutions with real-time protection and detection and response capabilities. Security Operations Centers should have access to current threat intelligence to identify such attacks early.


Source: www.it-daily.net · Published July 3, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: