Listen to this Post

Introduction
The ToddyCat advanced persistent threat (APT) group has unveiled a sophisticated new attack vector that bypasses traditional credential theft by abusing Google’s OAuth 2.0 infrastructure. Dubbed Umbrij, this .NET-based malware connects to a victim’s browser in headless mode via a remote debugging port, extracts OAuth authorization codes, and exchanges them for access tokens that grant persistent, silent access to corporate Gmail accounts. This technique—codenamed Shadow Token via Remote Debug (STRD)—represents a paradigm shift in account takeover, moving from password theft to session-based API abuse.
Learning Objectives
- Understand the technical mechanics of the Umbrij malware and its STRD technique for Google API abuse.
- Learn how ToddyCat delivers Umbrij via malicious MSI installers, DLL sideloading, and scheduled task masquerading.
- Master detection and mitigation strategies, including monitoring for headless browser launches and OAuth scope anomalies.
- Gain hands-on knowledge of forensic commands and security configurations to defend against this threat.
You Should Know
- The Umbrij Attack Chain: From MSI Dropper to Gmail API Access
ToddyCat’s campaign begins with a malicious MSI installer named Kuailian_win-setup.86.msi, which masquerades as the legitimate LetsVPN client—a tool commonly used to bypass national firewalls. This MSI contains three embedded components:
- A signed LetsVPN installer deployed as a decoy.
- A shellcode loader (
promecefplugilte8.exe). - An encrypted payload stored as
20260609.dat.
The loader reserves executable memory via VirtualAlloc, reads the `.dat` blob, decrypts it using a simple XOR with `0x25` after a 32-byte key region, and reflectively loads an embedded PE marked by the hex sequence CC DD EE FF. The final payload is never written to disk, minimizing forensic artifacts.
Once executed, the malware establishes persistence via a scheduled task that impersonates legitimate security software—for example, KasperskyEndpointSecurityEDRAvp. The scheduled task launches a digitally signed binary that uses DLL sideloading to load the malicious Umbrij DLL. Three legitimate executables have been observed abused for this purpose:
| Executable | Source |
||–|
| `BDSubWiz.exe` | Bitdefender ConnectAgent (Submission Wizard) |
| `VSTestVideoRecorder.exe` | Microsoft Visual Studio testing components |
| `GoogleDesktop.exe` | Discontinued Google Desktop Search application |
Step‑by‑step delivery and execution:
- Initial access: User downloads and runs the malicious MSI, believing it to be the LetsVPN client.
- Decoy installation: The legitimate LetsVPN installer runs to maintain the ruse.
- Payload extraction: The shellcode loader decrypts and reflectively loads the Umbrij DLL.
- Persistence: A scheduled task is created to maintain long-term access.
- DLL sideloading: The scheduled task triggers a vulnerable executable that loads the malicious DLL.
Forensic detection commands (Windows):
Check for suspicious scheduled tasks
schtasks /query /fo LIST /v | findstr "KasperskyEndpointSecurityEDRAvp"
Look for MSI installations with unusual names
Get-WinEvent -LogName "Application" | Where-Object { $_.Message -like "Kuailian" }
Check for reflective loader indicators in memory
Get-Process | Where-Object { $_.Modules -match "promecefplugilte8" }
- Shadow Token via Remote Debug (STRD): The OAuth Token Heist
The core of Umbrij’s capability lies in its abuse of Chromium-based browsers’ remote debugging features. The technique exploits the fact that if a user has not logged out of their Gmail account, the browser maintains an active session.
How STRD works:
- Profile duplication: Umbrij copies the victim’s browser profile directory (Chrome or Edge) to a backup location.
- Headless launch: The malware launches the browser in headless mode using the duplicated profile, with the `–remote-debugging-port` parameter.
- DevTools connection: Umbrij connects to the browser via the Chrome DevTools Protocol (CDP).
- OAuth flow initiation: The tool navigates to Google’s OAuth endpoint and initiates the authorization flow.
- Authorization code interception: Because the session is already active, no re-authentication is required. Umbrij automatically selects the target account, confirms permissions, and intercepts the authorization code.
- Token exchange: The code is exchanged for an OAuth access token, which is then used to query the Gmail API.
Code snippet: Simulated headless Chrome launch with remote debugging (for educational purposes)
Launch Chrome in headless mode with remote debugging on port 9222 google-chrome --headless --remote-debugging-port=9222 --user-data-dir=/tmp/chrome-profile Connect via DevTools Protocol using curl curl http://localhost:9222/json/version
Umbrij’s OAuth request parameters:
The tool masquerades as legitimate Google Workspace migration applications but requests broader permissions, including full access to Gmail, Google Drive, Contacts, and Calendar.
Detection commands:
Linux: Monitor for headless browser processes
ps aux | grep -E "headless|remote-debugging-port"
Windows: Check for Chrome/Edge with debugging flags
Get-WmiObject Win32_Process | Where-Object { $_.CommandLine -match "remote-debugging-port" }
Network: Look for OAuth token exchanges to Google APIs
tcpdump -i any -1 'host accounts.google.com and port 443' -A | grep -i "code="
3. RAT Capabilities: Beyond Email Theft
Umbrij is not merely a token stealer; it deploys a full-featured remote access trojan (RAT) that establishes a persistent TCP session model. Available capabilities include:
- File transfer and exfiltration.
- Interactive `cmd.exe` shell.
- SOCKS5/HTTP proxy mapping.
- Browser profile manipulation.
- Direct input-driven remote control.
- Keylogging and clipboard theft.
Keylogging and clipboard exfiltration:
FeatureType 10 writes keystrokes and clipboard contents to `C:\ProgramData\gongzuo.txt` and exfiltrates changes. FeatureType 9/11 target browsers and Telegram Desktop; the latter packages `tdata` into `MeitianGongzuoZiliao.zip` and stealthily updates Telegram’s proxy settings, even patching `telegram.exe` to hide UI notifications of proxy changes.
Identity files:
The RAT creates local identity files—ClientId.sys, Mark.sys, Remark.sys, Group.sys—stored as plaintext under Program Files, ProgramData, or the runtime directory depending on write permissions.
C2 infrastructure:
An embedded table of 40 server sets drives C2 selection, using `install_state.ini` or the executable filename to pick an InstanceId. Example hosts include `23[.]133.4.108` and domains such as `teddkqoo[.]com` and `nishihaoren8[.]top` (“nishihaoren” = “you are a good person” in Chinese).
Detection and response commands:
Check for suspicious files in ProgramData dir C:\ProgramData.sys | findstr "ClientId Mark Remark Group" Monitor for outbound connections to known malicious domains netstat -ano | findstr "23.133.4.108 teddkqoo.com nishihaoren8.top" Look for Telegram proxy modifications Get-ChildItem -Path "C:\Users\AppData\Roaming\Telegram Desktop\tdata" -Recurse
4. Evasion and Anti-Forensics: Living Off the Land
Umbrij employs multiple evasion techniques to avoid detection:
- Reflective loading: The final payload is never written to disk, making it invisible to file-based scans.
- DLL sideloading: Malicious code runs within the context of legitimate signed binaries.
- Masquerading: Scheduled tasks impersonate Kaspersky security software.
- Obfuscation: The .NET DLL is obfuscated with ConfuserEx.
- Low-and-slow C2: Persistent TCP sessions rather than simple polling reduce network visibility.
Step‑by‑step memory forensics (Windows):
1. Dump memory of suspicious processes:
.\procdump.exe -ma <PID> <output.dmp>
2. Analyze with Volatility:
volatility -f <memory.dump> --profile=<profile> malfind volatility -f <memory.dump> --profile=<profile> cmdscan
3. Check for reflective DLL injection indicators:
Get-Process | Where-Object { $_.Modules.Count -eq 0 } May indicate hidden modules
5. Mitigation and Hardening Strategies
Organizations can defend against Umbrij and similar STRD attacks through a combination of monitoring, configuration hardening, and user education.
Browser hardening (Windows Group Policy):
<!-- Disable remote debugging --> <policy name="RemoteDebuggingAllowed" class="Machine"> <enabled value="false" /> </policy> <!-- Block headless mode --> <policy name="HeadlessModeAllowed" class="Machine"> <enabled value="false" /> </policy>
Google Workspace OAuth monitoring:
- Audit OAuth tokens: Regularly review OAuth permissions granted to third-party applications via Google Admin Console.
- Restrict OAuth scopes: Limit which OAuth scopes can be requested by unverified applications.
- Enable alerts: Configure alerts for unusual OAuth grant activity.
EDR and SIEM rules:
Detect Chrome/Edge launched with remote debugging - name: "Headless Browser with Remote Debugging" condition: process.command_line contains "--remote-debugging-port" severity: high Detect suspicious scheduled tasks - name: "Suspicious Scheduled Task" condition: event.log_name == "Microsoft-Windows-TaskScheduler/Operational" and event.message contains "KasperskyEndpointSecurityEDRAvp" severity: high
User education:
- Warn users against downloading VPN clients from untrusted sources.
- Encourage signing out of Google accounts when not in use.
- Implement multi-factor authentication (MFA) with hardware tokens.
What Undercode Say
- Key Takeaway 1: Umbrij represents a fundamental shift in account takeover—moving from credential theft to session-based API abuse. Traditional password security measures are ineffective against this threat.
-
Key Takeaway 2: The STRD technique exploits legitimate browser features (remote debugging, headless mode) to bypass authentication. This is not a vulnerability in Google’s OAuth implementation but rather an abuse of how browsers handle authenticated sessions.
Analysis: The ToddyCat group’s development of Umbrij demonstrates a high level of operational maturity. By combining social engineering (fake VPN installers), sophisticated in-memory loading, and API-level access, the group has created a multi-stage attack chain that is difficult to detect and disrupt. The use of DLL sideloading and scheduled task masquerading further complicates forensic analysis. Organizations must adopt a defense-in-depth approach that includes browser hardening, OAuth scope restrictions, and continuous monitoring for anomalous process behavior. The fact that Umbrij logs its activities in detail—including captured authorization codes—suggests that the operators are methodical and value operational feedback. This is not a spray-and-pray campaign but a targeted intelligence-gathering operation.
Prediction
- +1 The STRD technique will be rapidly adopted by other threat actors and ransomware groups, leading to a surge in OAuth-based account compromises across cloud platforms. Expect to see variants targeting Microsoft 365, AWS, and other OAuth-enabled services.
-
-1 Google and other browser vendors will likely implement stricter controls on remote debugging and headless mode, potentially breaking legitimate use cases for developers and testers. This may lead to a cat-and-mouse game of evasion techniques.
-
-1 The rise of token-based attacks will force a reevaluation of zero-trust architectures. Organizations will need to implement continuous session validation and behavioral analytics to detect anomalies, increasing operational complexity and cost.
-
+1 Security vendors will develop new detection capabilities specifically targeting STRD, including memory scanning for reflective loaders and behavioral analysis of browser process flags. This will improve overall threat detection posture.
-
-1 Smaller organizations with limited security resources will remain vulnerable, as the attack does not require exploiting software vulnerabilities and can bypass many traditional security controls.
References:
- Kaspersky Securelist: “ToddyCat: your hidden email assistant. Part 2”
- GBHackers: “Umbrij Malware Lets ToddyCat Hackers Hijack Gmail Accounts Through Google API Abuse”
- The Hacker News: “ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API”
- HackMag: “New Toolkit Discovered for Compromising Corporate Gmail Accounts”
▶️ Related Video (74% Match):
https://www.youtube.com/watch?v=0YWJNZDKef8
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


