Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The Shadow Token: A Sophisticated Malware Exploits OAuth for Gmail Access via Google API




The Umbrij malware family has been attributed to the ToddyCat cyber espionage group and leverages the OAuth 2.0 protocol for authorization. It uses a novel technique called Shadow Token via Remote Debug (STRD) to acquire an OAuth token and use it to connect to the browser's management console in headless mode, thus compromising corporate email communications.

  • The Umbrij malware family has emerged as a sophisticated threat, targeting corporate email communications via the Google API.
  • The attackers use the Shadow Token via Remote Debug (STRD) technique to acquire an OAuth token and connect to the browser's management console.
  • The Umbrij threat actor primarily targets Gmail accounts hosted on Google APIs, compromising access via APIs.
  • The malware performs a series of preparatory actions to breach the Gmail account, including verifying port availability and gathering user profile information.
  • The malware creates a directory with copied files and folders from target user profiles, then launches browsers in headless mode using the copied profile.
  • The attackers use Puppeteer to connect to the remote debugging port and request authorization code for OAuth access token exchange.
  • The Umbrij malware compromises corporate email communications by acquiring an OAuth access token and connecting to the Gmail account through the API.



  • The threat landscape has recently witnessed the emergence of a highly sophisticated malware family known as Umbrij, which is attributed to the notorious cyber espionage group known as ToddyCat. The malware is specifically designed to gain unauthorized access to a victim's email correspondence via the Google API, leveraging the OAuth 2.0 protocol for authorization.

    In this context, the attackers have developed a novel technique called Shadow Token via Remote Debug (STRD) to acquire an OAuth token and use it to connect to the browser's management console in headless mode through a remote debugging port. This technique has garnered significant attention from cybersecurity experts due to its complexity and potential impact on corporate email communications.

    According to Kaspersky, the Russian cybersecurity vendor that first discovered the malware, the Umbrij threat actor has focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs. The attackers have developed three different versions of the malware, each featuring helper functions for debugging and for searching and selecting user accounts within the browser.

    The Umbrij malware workflow diagram reveals a series of preparatory actions that it performs on a compromised Windows host to breach the Gmail account. These actions include verifying the availability of the port designated for browser debugging, retrieving the user context by searching for the "explorer.exe" process and duplicating the token of the first such process encountered, constructing the path to the web browser application folder within the user's local application data repository, parsing the Local State file corresponding to Chrome or Edge to gather information about stored browser user profiles, enumerating all profiles and scanning them for a field named "user_name" that includes an email address.

    Upon obtaining the necessary credentials, the malware creates a directory called "BackupFiles" within "%LOCALAPPDATA%\Google\Chrome\" and "%LOCALAPPDATA%\Microsoft\Edge\" and copies specific files and folders from each target user profile into it. The malware then launches the browsers in headless mode using the user profile copied to the "BackupFiles" folder, causing the browser to apply all active user cookies, including the signed-in Google account, and skip authentication.

    Using Puppeteer, a JavaScript library used for controlling Chromium-based browsers via the Chrome DevTools Protocol, the malware connects to the remote debugging port and sends an authorization code request to direct the browser to a "accounts.google[.]com/o/oauth2/v2/auth/identifier" URL containing a client_id that corresponds to a migration tool used for importing local PST files and data from Microsoft Exchange accounts into a Google Workspace account. The HTTP GET request also specifies the set of permissions required by the application.

    The malware then uses JavaScript to emulate mouse click events to select the appropriate Google account after navigating to the URL and grant it the necessary permissions, including full access to Gmail, Drive, Contacts, Calendar, and Tasks. Redirecting the browser session to a local address specified in the initial request and extracting the OAuth authorization code from it.

    Upon acquiring the authorization code, the malware exchanges it for an OAuth access token, which is then used to connect to the Gmail account through the API, thus compromising corporate email communications.

    In conclusion, the Umbrij malware represents a significant threat to corporate email communications, leveraging the OAuth 2.0 protocol and Shadow Token via Remote Debug (STRD) technique to gain unauthorized access to sensitive information. Cybersecurity experts advise organizations to review the authorization codes granted to applications by navigating to "myaccount.google[.]com/connections" and then looking for applications named "Google Workspace Migration for Microsoft Outlook" or "Google Workspace Sync for Microsoft Outlook." If either of these applications is present and is not actually used within the organization, it's essential to revoke their access to invalidate the OAuth tokens.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Shadow-Token-A-Sophisticated-Malware-Exploits-OAuth-for-Gmail-Access-via-Google-API-ehn.shtml

  • https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html


  • Published: Thu Jul 2 08:36:24 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us