ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Tata Technologies says ransomware attack hit IT assets

    January 31, 2025

    Tata Technologies, a technology and product engineering service company owned by Indian conglomerate Tata Group, has disclosed a ransomware attack that has forced it to suspend some of its services. The Pune-headquartered company said Friday that the incident affected “a few of our IT assets” while its client delivery services “remained fully functional and unaffected throughout.” ...

  • Coyote Banking Trojan: A Stealthy Attack via LNK Files

    January 30, 2025

    Over the past month, FortiGuard Labs has identified several similar LNK files containing PowerShell commands designed to execute malicious scripts and connect to remote servers. These files are part of multi-stage operations that ultimately deliver the Coyote Banking Trojan. This malware primarily targets users in Brazil, seeking to harvest sensitive information from over 70 financial applications ...

  • Europol: Law enforcement takes down two largest cybercrime forums in the world

    January 30, 2025

    A Europol-supported operation, led by German authorities and involving law enforcement from eight countries, has led to the takedown of the two largest cybercrime forums in the world. The two platforms, Cracked and Nulled, had more than 10 million users in total. Both of these underground economy forums offered a quick entry point into the cybercrime ...

  • DeepSeek leaks one million sensitive records in a major data breach

    January 30, 2025

    A New York-based cybersecurity firm, Wiz, has uncovered a critical security lapse at DeepSeek, a rising Chinese AI startup, revealing a cache of sensitive data openly accessible on the internet. According to a report published by Wiz, the exposed data included over a million lines of log entries, digital software keys, backend details, and user chat ...

  • A closer look at the Tria stealer campaign

    January 30, 2025

    Since mid-2024, Kaspersky researchers observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app (APK), which they have named “Tria Stealer” after unique strings found in campaign samples. The primary targets of the campaign are users in Malaysia and Brunei, with Malaysia being the most affected ...

  • CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia

    January 29, 2025

    We identified a cluster of activity that we track as CL-STA-0048. This cluster targeted high-value targets in South Asia, including a telecommunications organization. This activity cluster used rare tools and techniques including the technique we call Hex Staging, in which the attackers deliver payloads in chunks. Their activity also includes exfiltration over DNS using ping, and ...