← All articles

Umbrij malware steals Google OAuth tokens through a hidden browser to read Gmail

Kaspersky detailed Umbrij, a new tool from the ToddyCat espionage group that steals access to corporate Gmail without ever taking a password. Delivered on Windows through DLL side-loading via trusted signed programs, Umbrij copies the victim's already-signed-in browser profile, launches a hidden Chromium with remote debugging, and drives it through Google's OAuth flow while impersonating legitimate Google Workspace sync apps. Because the copied profile is already authenticated, Google issues an authorization code that is exchanged for an access token, giving the attackers API access to Gmail, Drive, Calendar, and more, and sidestepping both the password and multi-factor authentication. The technique shows how stealing OAuth tokens can quietly bypass account protections.

Check
Audit which third-party apps and OAuth grants have access to your Google Workspace accounts, and watch endpoints for browsers launched with headless and remote-debugging flags outside dedicated test systems.
Affected
Organizations using Google Workspace or Gmail for business; by hijacking an already-signed-in browser profile and the OAuth flow, attackers gain token-based access to email and files without a password or MFA prompt.
Fix
Regularly review and revoke unnecessary OAuth app access to Google accounts, monitor for suspicious DLL side-loading and headless browser debugging, restrict remote-debugging use, and alert on unusual Google API access.