ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • ‘Hundreds’ of Iranian hacking attempts have hit surveillance cameras since the missile strikes

    March 4, 2026

    Multiple Iranian hacking crews have been targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28, according to Check Point security researchers. The Tel Aviv-based security shop has tracked “hundreds” of attempts to exploit a handful of bugs in IP cameras made by two manufacturers, Hikvision and Dahua, ...

  • CIMB refutes claims of data breach involving 1.2 million records

    March 4, 2026

    CIMB Group Holdings Bhd has given assurance that claims circulating online about a data breach involving its customers are false and that customer data continues to be protected. The financial services provider said on social media platform X that its security teams have verified that all systems are secure and that customer data remains fully safeguarded. ...

  • Europol, Microsoft, TrendAI and Collaborators Halt Tycoon 2FA Operations

    March 4, 2026

    Researchers from TrendAI have been tracking the infrastructure, as well as the campaigns and operator behaviors that can be linked to Tycoon 2FA to build a clearer picture of how its services was being used at scale. By November 2025, TrendAI had collected enough data to link the operation to an actor using the monikers “SaaadFridi” ...

  • Google patches 129 Android security flaws — including a potentially dangerous Qualcomm zero-day

    March 3, 2026

    Google has released a new security update which fixed 129 vulnerabilities in the Android ecosystem, including 10 critical-severity bugs, and one high-severity issue apparently being exploited in the wild. In a security advisory, Google said that it fixed a buffer over-read vulnerability in the Graphics component (an open-source Qualcomm module). The bug, tracked as CVE-2026-21385, was ...

  • Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

    March 3, 2026

    Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical ...

  • Microsoft OAuth scams abuse redirects for malware delivery

    March 3, 2026

    Microsoft has warned organizations about ongoing OAuth abuse scams that use phishing emails and URL redirects to infect victims’ machines with malware and take over their devices. The phishing expedition targets government and public-sector organizations, according to a Monday report from Redmond’s security researchers. And while Microsoft Entra disabled the malicious OAuth applications, Microsoft’s infosec squad ...