ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Pharma giant Inotiv hit by ransomware attack, says operations were affected

    August 19, 2025

    Inotiv, an American pharmaceutical and biotech company, has confirmed it has suffered a ransomware attack which forced it to shut down parts of its IT infrastructure. In a report filed with the US Securities and Exchange Commission (SEC), the company said it spotted the attack on August 8, 2025. The initial investigation determined that someone broke ...

  • Deep dive into CVE‑2025‑29824 in Windows

    August 19, 2025

    On April 8, 2025, Microsoft patched 121 vulnerabilities across its products, including CVE-2025-29824—the only one known to be exploited in the wild. This particular flaw enabled adversaries to escalate Windows privileges by leveraging a bug in the clfs.sys driver. Microsoft Threat Intelligence discovered the issue during the Storm-2460 attacks targeting organizations in Saudi Arabia, Spain, Venezuela, ...

  • GodRAT – New RAT targeting financial institutions

    August 19, 2025

    In September 2024, Kaspersky researchers detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers ...

  • Cisco warns of worrying major security flaw in firewall command center – patch now

    August 18, 2025

    Cisco recently fixed a maximum-severity vulnerability in its Secure Firewall Management Center (FMC) product, and urged users to apply either the patch, or the mitigation, as soon as possible. FMC is a centralized platform for configuring, monitoring, and analyzing Cisco Secure Firewalls, where users can manage policies, track threat intelligence, and monitor their deployments across endpoints. ...

  • Workday hit by data breach targeting CRM systems

    August 18, 2025

    The US company was affected by a social engineering campaign that bears similarities to a recent wave of attacks by extortion group ShinyHunters. Enterprise software company Workday recently suffered a data breach after threat actors targeted a third-party customer relationship management (CRM) platform. According to a blogpost by the US company on Friday (15 August), threat ...

  • Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824

    August 18, 2025

    In April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them was being used in real-world attacks at the time the patch was released: CVE-2025-29824. The exploit for this vulnerability was executed by the PipeMagic malware, which Kaspersky researchers first discovered in December 2022 in a RansomExx ransomware campaign. ...