Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.
The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Watch how job interviewer exposes North Korean fake IT worker
April 6, 2026
For the last few years, North Koreans have gotten remote jobs at hundreds of Western companies pretending to be from somewhere else, using fake resumes, and sometimes with the help of American collaborators. It’s been a major problem for years, as North Korea remains highly sanctioned by the U.S. and European governments because of the regime’s ...
- New “BrowserGate” report claims LinkedIn secretly scans user browsers for installed extensions and collects device data
April 6, 2026
A new report is alleging LinkedIn uses hidden JavaScript to scan its visitors’ browsers for installed extensions, looks for those that compete with its own sales tools, and then twists its users’ arms until they stop using those and pick LinkedIn’s products, instead. However the social network says this is a smear campaign run by a ...
- Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
April 6, 2026
The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, ...
- Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
April 3, 2026
In late March 2026open on a new tab, Anthropic inadvertently released the internal Claude Code source material as part of an npm package that included a large internal source map file. Although the incident stemmed from a simple packaging mistake, threat actors were quick to capitalize on the resulting attention. Only 24 hours after the ...
- vSphere and BRICKSTORM Malware: A Defender’s Guide
April 2, 2026
Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls ...
- Sophisticated supply chain attack exploited TrueConf update process
April 2, 2026
Southeast Asian governments were recently targeted by a highly sophisticated supply chain attack as part of a wider cyber-espionage campaign, which experts believe is the work of the Chinese government. Security researchers Check Point detailed their findings on Operation TrueChaos, a campaign revolving around a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform which ...