ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials

    March 16, 2026

    At the start of the year, cybercriminals were exploiting three vulnerabilities in FortiGate Next-Generation Firewalls (NGFW) to establish persistence and move laterally throughout the network. All recorded attacks were stopped before they could do any meaningful harm, and FortiGate has since issued patches to mitigate the risk. Between December 2025 and February 2026, security researchers SentinelOne ...

  • EU sanctions Chinese and Iranian companies for cyber attacks

    March 16, 2026

    The European Union on Monday imposed sanctions against ‌two China-based and one Iranian ‌company for cyber attacks against EU member ​states. The EU listed China-based Integrity Technology Group and Anxun Information Technology, and Iranian company Emennet Pasargad. Integrity Technology ‌is seen ⁠to have enabled hacks of over65,000 devices across six member ⁠states, according to an EUstatement. ...

  • UAE: Up to 100 people arrested by police for filming drone or missile strikes

    March 14, 2026

    Up to 100 people have been arrested by police in the UAE for filming drone or missile strikes, it emerged this morning. Abu Dhabi Police alone have arrested 45 people of multiple nationalities for filming various locations amid current ongoing events and posting clips on social media. In neighbouring Dubai, at least 21 people, including a ...

  • Google patches two Chrome zero-days under active attack

    March 13, 2026

    Update March 16, 2026 Earlier this week, Google incorrectly reported that an actively exploited vulnerability in Chrome had been fixed, and has now announced it will roll out a new update to protect users against the vulnerability tracked as CVE-2026-3909. Original content: Google has released an out-of-band security update for Chrome desktop that patches two high‑severity ...

  • Swedish government IT system hacked

    March 13, 2026

    A large amount of sensitive information allegedly coming from a Swedish government IT system has been posted on the darknet, according to Dagens Nyheter and Expressen. DN writes that the newspaper has taken note of the leak and that it appears to contain the source code for a digital identity management system used by several authorities. ...

  • Poland investigates Iran links behind cyberattack on nuclear facility

    March 12, 2026

    Poland is looking into whether an attempted cyberattack on a nuclear research facility was carried out by Iran, the government said on Thursday. The country’s digital minister Krzysztof Gawkowski said in an emailed statement that Poland had “identified an attempted cyberattack on the servers of the National Centre for Nuclear Research,” which authorities had thwarted. He ...