// 1 CRITICAL · 2 ZERO-DAY · 3 CVE · 4 EXPLOIT IN THE LAST 24H
The Umbrij malware automates OAuth 2.0 token theft via the Chrome DevTools Protocol, bypassing passwords and MFA on corporate Gmail accounts.

The ToddyCat APT group, active since 2020 against targets in Europe and Asia, has introduced a new malware strain called Umbrij. Kaspersky discovered it during a proactive threat-hunting operation. Umbrij automates the theft of OAuth 2.0 tokens for Gmail by exploiting the remote debugging port of Chromium-based browsers in headless mode, completely bypassing password-based authentication and MFA.

Key Takeaways
  • Umbrij is an obfuscated .NET DLL packed with ConfuserEx that implements the STRD (Shadow Token via Remote Debug) technique to steal OAuth 2.0 tokens.
  • The malware abuses Chromium browsers via the Chrome DevTools Protocol, automating the OAuth flow with Puppeteer Sharp inside already-authenticated sessions.
  • Three legitimate signed executables are used for DLL sideloading: BDSubWiz.exe (Bitdefender), VSTestVideoRecorder.exe (Visual Studio), and GoogleDesktop.exe.
  • The OAuth request impersonates the Google Workspace Migration or Sync for Microsoft Outlook applications, requesting full permissions over Gmail, Drive, Contacts, Calendar, and Tasks.

From TCSectorCopy to Umbrij: The Evolution of the Mail Service Target

ToddyCat has a documented history of stealing corporate communications. In previous campaigns it used tools like TCSectorCopy to exfiltrate local OST files from Microsoft Outlook and token-theft techniques to compromise Microsoft 365 accounts. With Umbrij, the group shifts focus to Gmail, exploiting a vector that requires neither credentials nor physical access to mail storage devices.

The transition is significant: from passive local data collection to active interaction with Google APIs. As reported by The Hacker News citing Kaspersky, "in this campaign the attackers focused their attention on corporate email communications hosted on Gmail, targeting the compromise of API access." The move from Outlook to Gmail, and from local file theft to web protocol abuse, signals a response to market shifts and more robust defenses on Windows endpoints.

How STRD Works: Abusing the Chrome DevTools Protocol

The Shadow Token via Remote Debug (STRD) technique exploits a legitimate Chromium feature: the remote debugging port enabled via --remote-debugging-port. Umbrij copies the user's browser profiles — including IndexedDB, Local Storage, Network, Login Data, Preferences, Secure Preferences, and Web Data — into directories named BackupFiles. It then establishes a connection to the headless browser and uses Puppeteer Sharp to automate the OAuth 2.0 flow.

The technical flow is documented in detail: the malware sends a request to accounts.google.com/o/oauth2/v2/auth/identifier using a client_id associated with Google Workspace Migration for Microsoft Outlook (GWMMO) or Google Workspace Sync for Microsoft Outlook (GWSMO). A redirect to localhost emerges, from whose URL the authorization code is extracted. This code is then exchanged for an access token with full permissions over Gmail and other Google Workspace services.

The dossier does not specify whether the client_id was legitimately registered by the threat actors or repurposed from other applications. No infrastructure overlaps linking Umbrij to non-Chromium browser variants have emerged in the current state of analysis.

Persistence and Concealment: The Forged Scheduled Task

Umbrij achieves persistence through a scheduled task that masquerades as a Kaspersky product: the name used is KasperskyEndpointSecurityEDRAvp. This task launches a signed file that in turn loads the malicious payload via DLL sideloading. The three legitimate executables identified in the Kaspersky report are BDSubWiz.exe (Bitdefender-signed), VSTestVideoRecorder.exe (Visual Studio), and GoogleDesktop.exe.

The impersonation mechanism also includes duplicating explorer.exe tokens to assume the privileges of the interactive user. Three Umbrij variants (a, b, c) have been identified, with different helper functions for debug operations and account selection.

"The ToddyCat APT group continues to look for ways to compromise corporate email communications... Their new tool, Umbrij, automates the attackers' attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks, but also demonstrates ToddyCat's strong motivation and advanced technical capabilities." — Andrey Gunkin, senior malware analyst at Kaspersky, via The Hacker News

Mitigation Steps

Organizations using Gmail and Google Workspace can adopt specific measures against the STRD technique:

Disable the remote debugging port on enterprise browsers. The Chromium --remote-debugging-port flag must be blocked via corporate policy on all non-development endpoints. Asset inventory tools should flag any Chrome or Edge instance with remote debugging active in production as anomalous.

Monitor OAuth applications with broad scopes on Gmail. Google Workspace administrators must review permissions granted to "Google Workspace Migration for Microsoft Outlook" and "Google Workspace Sync for Microsoft Outlook," verifying that the client_id matches the official Google one. Revoke suspicious tokens immediately.

Inspect scheduled tasks for forged names. The presence of tasks named KasperskyEndpointSecurityEDRAvp executing BDSubWiz.exe, VSTestVideoRecorder.exe, or GoogleDesktop.exe is an indicator of compromise. These legitimate executables must not reside in non-standard paths or load external DLLs.

Check the BackupFiles directory in browser profiles. Umbrij copies profile data into folders with this specific name. Their presence signals session data exfiltration activity.

Why This Matters

The Umbrij case illustrates a structural tension in enterprise defenses. The Chrome DevTools Protocol, Puppeteer, Google Workspace APIs, and email migration applications are legitimate components, often approved at the organizational level. Their abuse makes the attack particularly insidious: the generated activity — headless browsers with remote debugging ports, OAuth requests with standard scopes, connections to Google APIs — resembles authorized administrative or development operations.

The automation of the OAuth flow via Puppeteer Sharp also introduces scalability that was missing in manual token-theft techniques. Where TCSectorCopy required local filesystem access and subsequent extraction, Umbrij can operate in repeated cycles across multiple sessions, multiple accounts, and multiple Google Workspace tenants, with a network footprint that ties back to Google's legitimate infrastructure.

For organizations using Gmail/Google Workspace, the traditional defense line based on EDR and credential monitoring shows a blind spot here. The attack does not steal passwords nor bypass MFA in the classic sense: it leverages already-authenticated sessions through an authorization protocol explicitly designed for third parties. The distinction between "authorized migration application" and "abused migration application" becomes operational, not declarative.

The response picture remains open: the dossier does not indicate whether Google has taken action on the client_id values involved, nor whether specific indicators of compromise exist beyond the presence of headless browsers with debug ports on non-development endpoints.

Sources

Information is based on the cited sources and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. gbhackers.com
  3. securelist.com
  4. welivesecurity.com
  5. thehackernews.uk