ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

    March 31, 2026

    Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package “axios.” Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named “plain-crypto-js” into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify ...

  • Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure

    March 31, 2026

    Between late February and March 2026, threat group TeamPCP conducted a highly calculated, escalating sequence of supply chain threats. It systematically compromised widely trusted open-source security tools, including the vulnerability scanners Trivy and KICS and the popular AI gateway LiteLLM. The affected software also includes the official Python SDK of Telnyx. These ongoing supply chain attacks ...

  • GitHub developers targeted by fake VS Code alerts spreading malware

    March 30, 2026

    Cybercriminals are tricking GitHub into sending out fraudulent email notifications, luring software developers into downloading malware, experts have warned. Security researchers Socket, who said they observed a large-scale, coordinated spam campaign targeting developers on various projects. GitHub has a section called “Discussions”, which is essentially a forum for discussing various projects. When a developer participates in, ...

  • Beyond Compliance: How Financial Institutions Can Meet New Fraud-Sharing Mandates While Respecting Privacy

    March 30, 2026

    Authorized Push Payment (APP) fraud is one of the most damaging forms of digital deception. The pattern repeats itself thousands of times each year: an email from the bank’s security team warning of suspicious activity. A phone call that follows immediately. The caller ID matches. The “fraud prevention officer” knows details about recent transactions. Within minutes, ...

  • Bogus Avast website fakes virus scan, installs Venom Stealer instead

    March 27, 2026

    A fake website impersonating Avast antivirus is tricking people into infecting their own computers. The site looks legitimate, runs what appears to be a virus scan, and claims your system is full of threats. But the results are fake: when you’re prompted to “fix” the problem, the download you’re given is actually Venom Stealer—a type of ...

  • Commission investigates cyberattack targeting EU websites

    March 27, 2026

    The European Commission has announced that it is investigating a cyber attack that took place on Tuesday, targeting its cloud infrastructure hosting the ‘europa.eu’ websites and leading to a data leak. “Early findings of our ongoing investigation suggest that data have been taken from those websites,” it said in a statement on Friday evening, adding that ...