The advanced persistent threat (APT) actor ToddyCat has deployed a sophisticated new malware variant called Umbrij that exploits OAuth authentication to access Gmail accounts through legitimate Google APIs. This technique allows attackers to bypass traditional email security controls and exfiltrate sensitive communications while appearing as legitimate application traffic. The malware represents a significant evolution in credential abuse tactics, demonstrating how threat actors are increasingly leveraging trusted cloud services for command and control operations.
Introduction
ToddyCat, an APT group active since at least 2020 with suspected ties to Chinese state interests, has unveiled a new capability that should concern organizations worldwide. The Umbrij malware family demonstrates an innovative approach to data exfiltration by weaponizing OAuth tokens to access Gmail accounts through official Google APIs. Unlike traditional email-stealing malware that relies on compromised credentials or protocol exploitation, Umbrij abuses legitimate authentication mechanisms designed to enable third-party application access.
This technique marks a concerning trend where adversaries increasingly abuse trusted cloud infrastructure rather than deploying obviously malicious infrastructure. By operating within the boundaries of legitimate services, attackers make detection significantly more challenging and reduce the likelihood of triggering security alerts.
Background & Context
ToddyCat first emerged on the threat landscape targeting high-value organizations across Asia-Pacific, with particular focus on government entities, military contractors, and telecommunications providers. The group has demonstrated sophisticated capabilities including custom toolsets, lateral movement techniques, and long-term persistence mechanisms.
OAuth (Open Authorization) is an industry-standard protocol that allows applications to access user accounts without exposing passwords. When users grant permissions to third-party applications, OAuth tokens are issued that provide specific access scopes. Gmail API access through OAuth is commonly used by legitimate productivity tools, email clients, and automation platforms.
The Umbrij malware exploits this trusted mechanism by obtaining OAuth tokens that grant Gmail API access. Once acquired, these tokens allow the malware to read, download, and exfiltrate emails without triggering traditional authentication alerts or requiring repeated credential input. Because the traffic flows through official Google infrastructure, it blends seamlessly with legitimate application activity.
Technical Breakdown
Umbrij operates through a multi-stage infection and exfiltration process that leverages both traditional malware techniques and cloud service abuse.
Initial Compromise and Token Acquisition
The infection chain begins with initial access, typically achieved through spear-phishing or exploitation of perimeter vulnerabilities. Once establishing a foothold, Umbrij deploys components designed to extract OAuth tokens from compromised systems.
The malware specifically targets stored authentication tokens in several locations:
%APPDATA%\Google\Chrome\User Data\Default\Cookies
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data
%APPDATA%\Mozilla\Firefox\Profiles\*.default\cookies.sqliteAdditionally, Umbrij can intercept OAuth authorization flows by monitoring browser processes and network traffic for OAuth callback URLs containing authorization codes.
OAuth Token Exploitation
Once acquired, OAuth tokens are validated and used to authenticate API requests to Gmail services. The malware utilizes the Gmail API’s message retrieval functions:
# Simulated API request structure used by Umbrij
GET https://gmail.googleapis.com/gmail/v1/users/me/messages
Authorization: Bearer [STOLEN_OAUTH_TOKEN]The malware implements filtering capabilities to target high-value communications, searching for keywords related to specific topics, sender domains, or attachment types. This selective exfiltration reduces bandwidth consumption and focuses on intelligence gathering objectives.
Data Exfiltration and Communication
Exfiltrated email content is encrypted using AES-256 before transmission to command and control infrastructure. The malware employs multiple fallback channels including legitimate cloud storage services and compromised websites to ensure reliable data transmission.
Umbrij implements anti-analysis techniques including sandbox detection, debugger checks, and execution guardrails that prevent operation outside targeted environments.
Impact & Risk Assessment
The implications of Umbrij’s OAuth abuse technique extend far beyond simple credential theft, presenting several critical risks:
Data Breach Severity: Organizations whose personnel have been compromised face potential exposure of sensitive email communications including business strategies, customer data, intellectual property, and confidential negotiations.
Detection Challenges: Traditional email security solutions monitor SMTP, IMAP, and POP3 protocols. Gmail API access bypasses these controls entirely, making detection through conventional methods nearly impossible.
Lateral Movement Potential: Compromised email access enables attackers to identify additional targets, understand organizational structure, and craft more convincing social engineering attacks against connected individuals.
Compliance Implications: Unauthorized access to email systems may trigger regulatory reporting requirements under GDPR, HIPAA, or other frameworks depending on the nature of exposed data.
Token Longevity: OAuth refresh tokens can remain valid for extended periods, potentially allowing persistent access even after initial compromise remediation if tokens aren’t properly revoked.
Organizations in the Asia-Pacific region, particularly those in government, defense, telecommunications, and technology sectors, face elevated risk given ToddyCat’s historical targeting patterns.
Vendor Response
Google has acknowledged the threat and emphasized existing security features designed to mitigate OAuth abuse. The company’s Security Operations Center monitors for suspicious API usage patterns and anomalous authentication activity.
Google Workspace administrators can review third-party application access through the Admin Console and have options to restrict OAuth grants based on organizational policies. Google has also implemented machine learning models that analyze API usage patterns to identify potentially compromised tokens.
Security researchers who identified Umbrij have coordinated with Google to enhance detection capabilities specific to this threat. Indicators of compromise have been shared through Google’s threat intelligence channels.
However, the fundamental challenge remains: distinguishing between legitimate third-party applications and malicious OAuth token usage requires behavioral analysis rather than simple authentication verification.
Mitigations & Workarounds
Organizations should implement layered defenses to reduce OAuth abuse risk:
Immediate Actions:
- Audit all third-party applications with Gmail API access through Google Workspace Admin Console
- Revoke access for unrecognized or unnecessary applications
- Force password resets for potentially compromised accounts
- Review OAuth consent logs for suspicious authorization grants
Administrative Controls:
Configure OAuth application policies in Google Workspace:
Admin Console → Security → API Controls → App Access Control
- Set to "Don't allow users to access any third-party apps"
- Create allowlist of approved applications only
User Account Hardening:
- Enforce hardware security key authentication for high-value accounts
- Implement context-aware access policies based on location and device
- Enable advanced protection program for executive and sensitive personnel
Network-Level Defenses:
- Monitor for unusual volumes of Gmail API requests from internal networks
- Implement data loss prevention solutions that inspect encrypted traffic through SSL inspection
- Deploy endpoint detection and response (EDR) solutions capable of monitoring OAuth token access
Detection & Monitoring
Identifying Umbrij activity requires monitoring across multiple visibility points:
Endpoint Indicators:
Monitor for processes accessing OAuth token storage locations:
# Windows Event Log Monitoring
Event ID 4663: An attempt was made to access an object
Object Name: \Google\Chrome\User Data\
Object Name: \Firefox\Profiles\\cookies.sqliteGoogle Workspace Audit Logs:
Review OAuth token activity patterns:
- Multiple API requests from single token in compressed timeframes
- API access from unusual geographic locations
- Bulk message downloads exceeding normal user patterns
- API requests during off-hours for user’s typical schedule
Network Traffic Analysis:
Examine Gmail API request volumes and patterns:
Alert when:
- Single source generates >1000 Gmail API requests/hour
- API requests to /messages endpoint exceed baseline by 300%
- OAuth tokens used from multiple IP addresses simultaneously
User and Entity Behavior Analytics (UEBA):
Deploy solutions that baseline normal API usage and alert on deviations including unusual access times, data volume transfers, or access patterns.
Best Practices
Organizations should adopt comprehensive OAuth security strategies:
Policy Framework:
- Establish formal approval processes for third-party application integration
- Document legitimate business justifications for Gmail API access requirements
- Implement regular access reviews with automatic token expiration
Technical Implementation:
- Deploy OAuth management platforms that provide centralized visibility and control
- Implement just-in-time access provisioning for sensitive API scopes
- Use service accounts with minimal necessary permissions rather than user OAuth tokens
Security Awareness:
- Train personnel on OAuth authorization risks and social engineering tactics
- Educate users to scrutinize OAuth permission requests before granting access
- Establish reporting channels for suspicious authorization prompts
Incident Response Preparation:
- Document OAuth token revocation procedures
- Maintain runbooks for responding to suspected token compromise
- Establish relationships with cloud service providers for emergency response coordination
Architecture Considerations:
Organizations handling highly sensitive information should evaluate whether third-party Gmail API access aligns with their risk tolerance. Alternative approaches include on-premises email infrastructure or more restrictive cloud configurations.
Key Takeaways
- ToddyCat’s Umbrij malware represents sophisticated abuse of legitimate OAuth authentication mechanisms to access Gmail accounts through official Google APIs
- This technique bypasses traditional email security controls by operating within trusted cloud infrastructure
- Organizations must shift from perimeter-focused defenses to comprehensive API usage monitoring and OAuth governance
- Detection requires behavioral analysis and correlation across endpoint, cloud audit logs, and network telemetry
- Immediate mitigation steps include auditing third-party application access and implementing restrictive OAuth policies
- The threat demonstrates broader industry trends where adversaries increasingly abuse legitimate services rather than deploying obvious malicious infrastructure
- Effective defense requires technical controls, policy frameworks, and user awareness working in concert
References
- Google Workspace Admin Console – API Controls Documentation
- OAuth 2.0 Security Best Current Practice (IETF RFC)
- Gmail API Developer Documentation
- ToddyCat APT Group Threat Profile – MITRE ATT&CK
- Cloud Security Alliance – OAuth Implementation Guidance
- Google Advanced Protection Program Documentation
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/