ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • New malware targets macOS devices via OpenVSX extensions

    February 3, 2026

    GlassWorm, the malware campaign which targeted VS Code developers on Microsoft’s official Visual Studio Code marketplace, has now expanded to open source alternatives, experts have claimed. Recently, security researchers Socket said they discovered four extensions in Open VSX, an open, vendor-neutral marketplace for editor extensions (mainly used by developers who work with VS Code-compatible editors). These ...

  • Northern Ireland: PSNI officers affected by data breach to receive £7,500

    February 3, 2026

    Almost 10,000 police officers and staff affected by a huge data breach in Northern Ireland are to get a payment of at least £7,500 each. The details of all the PSNI’s serving officers and civilian staff were inadvertently published as part of a response to a Freedom of Information (FOI) request in August 2023. The database ...

  • Russian ransomware hackers allegedly hit Tulsa airport in cyberattack, dump private files online as proof

    February 2, 2026

    Russian ransomware operators Qilin have claimed to have broken into the Tulsa International Airport and stolen an unspecified amount of sensitive company data. A report from Cybernews says the group recently added the airport to their data leak site, and included 18 samples as proof of their claims. The researchers analyzed the samples, finding it included ...

  • The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

    February 2, 2026

    Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors. Rapid7 investigation ...

  • Russia-linked APT28 attackers already abusing new Microsoft Office zero-day

    February 2, 2026

    Russia-linked attackers are already exploiting Microsoft’s latest Office zero-day, with Ukraine’s national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU. In an alert published on Sunday, CERT-UA says the activity is being driven by UAC-0001, better known as “APT28” or “Fancy ...

  • Oregon residents health data stolen in TriZetto breach

    January 31, 2026

    Thousands more Oregonians will soon receive data breach letters in the continued fallout from the TriZetto data breach, in which someone hacked the insurance verification provider and gained access to its healthcare provider customers across multiple US states. The breach occurred back in November 2024, with intruders snooping through protected health information and other sensitive personal ...