
ToddyCat Umbrij Malware Abuses Chromium Remote Debug Port for OAuth Token Theft from Active Gmail Sessions
ToddyCat's Umbrij demonstrates credential-less Gmail access by hijacking OAuth flows through Chromium remote debugging. The operation reuses signed third-party binaries and active sessions, revealing an under-tracked pattern of API-layer persistence that evades conventional detection.
The malware, delivered via scheduled tasks impersonating KasperskyEndpointSecurityEDRAvp, launches three .NET variants obfuscated with ConfuserEx. It duplicates explorer.exe tokens, parses Local State files for profile user_name fields containing emails, then issues debugger commands to trigger Google API consent flows. This yields access tokens scoped to Gmail resources while bypassing login prompts entirely. Three legitimate executables from Bitdefender, Microsoft Visual Studio, and discontinued Google Desktop enable the side-load. Kaspersky's threat hunt uncovered the campaign targeting corporate Gmail accounts across Europe and Asia. Umbrij's command-line options allow browser selection, PDF screenshot capture of profiles, and explicit username targeting. The technique, labeled Shadow Token via Remote Debug, extends the group's November 2025 Outlook-focused TCSectorCopy operations into API-native access against Chromium browsers. Routine reporting missed the supply-chain parallel: abuse of trusted signed binaries combined with browser debugging ports creates persistent, low-artifact access that survives standard credential monitoring. No new zero-days are required; the attack leverages documented Chrome DevTools Protocol behavior on already-authenticated sessions. Next indicators will likely surface in procurement records for Google Workspace audit log tools or EDR rules targeting remote-debug port 9222 activity on enterprise endpoints within 90 days.
Kaspersky: Umbrij variants targeting additional browsers by Q3 2026
Sources (2)
- [1]Primary Source(https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html)
- [2]Supporting Source(https://securelist.com/toddycat-umbrij-strd/116000/)