Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Umbrij Malware Exploits OAuth for Gmail Access

Umbrij Malware Exploits OAuth for Gmail Access

Posted on July 2, 2026 By CWS

The newly discovered malware, Umbrij, has been linked to the cybercriminal group ToddyCat, with its primary goal being unauthorized access to Gmail accounts through Google API exploitation. This development was detailed in a recent report by Kaspersky, emphasizing the malware’s focus on breaching corporate email systems using OAuth tokens.

Technical Details of the Umbrij Malware

Umbrij’s operation involves acquiring OAuth tokens to infiltrate email communications hosted on Gmail. By exploiting the OAuth 2.0 protocol, the malware accesses email resources through a series of strategic API requests. This method has been termed ‘Shadow Token via Remote Debug (STRD)’ by Kaspersky.

The attack targets Chromium-based browsers, leveraging an active Gmail session to gain entry into Google account resources. The malware operates in headless mode via remote debugging, allowing it to control browser sessions without user detection. Three versions of Umbrij have surfaced, each equipped with functions for debugging, and selecting user accounts within the browser.

Malware Deployment and Execution

Umbrij was uncovered during a threat-hunting initiative, where it was found to be launched via a scheduled task mimicking legitimate software, such as Kaspersky’s own endpoint security tool. The malware uses DLL side-loading techniques, leveraging legitimate binaries like BDSubWiz.exe, VSTestVideoRecorder.exe, and GoogleDesktop.exe to execute the rogue DLL.

Once deployed, Umbrij performs preparatory actions, such as verifying debugging port availability and duplicating user tokens to maintain privileges. It collects user profile data from browser directories, ensuring it can operate under authenticated Gmail sessions. The malware then utilizes Puppeteer to interact with browser sessions and request OAuth codes necessary for Gmail access.

Impact and Prevention of Umbrij Attacks

Umbrij’s capability to log activities and extract OAuth authorization codes presents significant risks to corporate email security. The stolen OAuth tokens are used to access Gmail accounts via the API, compromising sensitive communications. To mitigate this threat, organizations are advised to review and revoke unnecessary application permissions in their Google account settings, particularly those related to Google Workspace migration applications.

Andrey Gunkin, a senior malware analyst at Kaspersky, highlights the sophistication of ToddyCat’s operations, noting the group’s relentless pursuit of compromising email communications. Their use of automation in tools like Umbrij underscores their advanced technical expertise and commitment to scaling attacks.

As the cyber threat landscape evolves, staying informed about emerging threats like Umbrij and implementing robust security measures remain crucial for protecting organizational assets.

The Hacker News Tags:API security, Chrome, cyber threat, cyberespionage, Cybersecurity, DLL side-loading, Edge, Gmail, Google API, Kaspersky, Malware, OAuth, OAuth access, ToddyCat, Umbrij

Post navigation

Previous Post: Cyberattackers Bypass Security to Steal Credentials
Next Post: Optimizing AI Software Audits for Enhanced Security

Related Posts

Iranian Hackers Target Aviation with New Techniques Iranian Hackers Target Aviation with New Techniques The Hacker News
Iran Slows Internet to Prevent Cyber Attacks Amid Escalating Regional Conflict Iran Slows Internet to Prevent Cyber Attacks Amid Escalating Regional Conflict The Hacker News
Identity: The New Cyberattack Vector Identity: The New Cyberattack Vector The Hacker News
ZeroDayRAT Spyware Threatens Android and iOS Security ZeroDayRAT Spyware Threatens Android and iOS Security The Hacker News
Identify Hidden Risks from Orphaned AI Tools Identify Hidden Risks from Orphaned AI Tools The Hacker News
Iranian Infy Hackers Reactivate C2 Servers After Internet Blackout Iranian Infy Hackers Reactivate C2 Servers After Internet Blackout The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Oracle E-Business Exposed to Critical Vulnerability
  • Optimizing AI Software Audits for Enhanced Security
  • Umbrij Malware Exploits OAuth for Gmail Access
  • Cyberattackers Bypass Security to Steal Credentials
  • FortiBleed Campaign Fuels Global Ransomware Operations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Oracle E-Business Exposed to Critical Vulnerability
  • Optimizing AI Software Audits for Enhanced Security
  • Umbrij Malware Exploits OAuth for Gmail Access
  • Cyberattackers Bypass Security to Steal Credentials
  • FortiBleed Campaign Fuels Global Ransomware Operations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark