Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.
The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Cyber Criminals Redirecting Users to Fraudulent Websites with Malicious Traffic Distribution Systems
June 18, 2026
The Federal Bureau of Investigation (FBI) is publishing this Public Service Announcement (PSA) to warn the public of cyber criminal use of traffic distribution systems (TDSs) to gain access to victim networks for ransomware or other financial scams. TDS is a technology used to route internet traffic visitors to different destinations after users visit webpages, click advertisement ...
- Cybercriminals allegedly hacked tens of thousands of Fortinet firewalls used by major companies all over the world
June 17, 2026
Cybercriminals have compromised tens of thousands of Fortinet firewalls and VPNs used by major companies all over the world, according to two cybersecurity firms. The widespread hacking campaign, which is ongoing and has been dubbed FortiBleed, appears to not involve abusing any unknown vulnerability in the targeted devices, but rather on a more basic issue: Companies ...
- Cisco SD-WAN make-me-root bug under attack
June 16, 2026
Cisco today issued a fix for a Catalyst SD-WAN Manager bug that attackers have already spotted and exploited to get root privileges, according to both the networking vendor and the feds. The vulnerability, tracked as CVE-2026-20262, is in the web UI of Cisco Catalyst SD-WAN Manager, and exists because the software is not properly validating user-supplied input during ...
- Hijacking Vertex AI Model Uploads for Cross-Tenant RCE
June 16, 2026
Palo Alto Unit42 discovered a vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python, and responsibly disclosed it to Google. Before Google’s fix, the vulnerability would have allowed an attacker operating entirely from their own Google Cloud project to hijack a victim’s model upload and poison it. By exploiting this flaw ...
- Attackers used social engineering to access third-party business apps and steal patient information
June 16, 2026
Heart monitoring biz iRhythm says thieves made off with patient health information and tried to turn it into a payday. The California-based cardiac monitoring specialist offers customers a wearable device that collects data, then analyzes it to create reports about heart health. The company said it detected unauthorized activity on June 8 and launched an investigation ...
- Dozens of malicious wallpapers found on Steam Workshop
June 16, 2026
Since late 2025, malware has been spreading rapidly through the Steam Workshop, the gaming platform’s built-in service for players to create and share custom content. The attackers are primarily targeting gamers in China and Russia, aiming to hijack their accounts. To pull this off, they are exploiting Wallpaper Engine – a popular live wallpaper app ...