ToddyCat Exploits OAuth to Compromise Gmail Accounts Using Umbrij Malware

ToddyCat Exploits OAuth to Compromise Gmail Accounts Using Umbrij Malware

First seen 2 Jul 2026, 13:29 UTC GbhackersThehackernews 77% similarity 51.9
Share:

Article Content

Browse articles
ThreatCluster

ToddyCat, an advanced persistent threat group, has adapted its tactics to exploit OAuth-based authorization flows, allowing them to compromise Gmail accounts without stealing user credentials. The group utilizes a malware variant called Umbrij, which is deployed on Windows systems through DLL sideloading. This method involves placing a malicious DLL next to legitimate executables that load libraries insecurely. The attack primarily targets corporate environments, raising concerns about data breaches and espionage. As of now, the full scope of the impact is still being assessed, but the potential for widespread access to sensitive information is significant. Organizations are urged to review their OAuth configurations and monitor for unusual access patterns. No specific CVEs have been reported yet regarding this method.

Key Points: • ToddyCat uses OAuth exploitation to access Gmail accounts without credential theft. • Umbrij malware is deployed via DLL sideloading on Windows systems. • The attack primarily targets corporate environments, posing significant espionage risks.

ThreatCluster AI

Timeline

2026-07-01
ToddyCat's new tactics reported
Gbhackers reported on ToddyCat's use of OAuth to compromise Gmail accounts using Umbrij malware.
Gbhackers
2026-07-02
Further details on Umbrij malware released
The Hacker News provided insights into how Umbrij abuses OAuth to access Gmail via Google API.
Thehackernews

Community

Browse all →