ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Spam and phishing in 2025

    February 11, 2026

    In 2025, online streaming services remained a primary theme for phishing sites within the entertainment sector, typically by offering early access to major premieres ahead of their official release dates. Alongside these, there was a notable increase in phishing pages mimicking ticket aggregation platforms for live events. Cybercriminals lured users with offers of free tickets to ...

  • Beyond the Battlefield: Threats to the Defense Industrial Base

    February 10, 2026

    In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation. Today, the defense sector faces a relentless barrage of cyber operations conducted by state-sponsored actors and criminal groups alike. In recent years, Google Threat Intelligence Group (GTIG) ...

  • A Peek Into Muddled Libra’s Operational Playbook

    February 10, 2026

    During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which they believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. ...

  • SolarWinds Web Help Desk Exploitation – February 2026

    February 10, 2026

    Multiple intrusions have been publicly reported starting on February 6, 2026 stemming from Internet-connected servers utilizing SolarWinds Web Help Desk software. This exploitation activity reportedly first occurred in December 2025. Given the number of recent CVEs affecting this product, it’s not yet clear which of several CVEs is directly responsible for these campaigns. Below are ...

  • UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

    February 9, 2026

    North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the deployment of seven unique ...

  • Malaysia: Nacsa investigating alleged cyber-espionage targeting multiple government bodies

    February 7, 2026

    The National Cyber Security Agency (Nacsa) is currently investigating alleged incidents of cyber-espionage activity targeting various Malaysian government entities. In a statement to StarLifestyle, a Nacsa spokesperson said the agency is aware of a report published by Unit 42, the threat research unit of US-based cybersecurity firm Palo Alto Networks. The Nacsa spokesperson said the agency ...