ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Hackers stole over $2.7B in crypto in 2025, data shows

    December 23, 2025

    Cybercriminals stole $2.7 billion in crypto this year, a new record for crypto-stealing hacks, according to blockchain-monitoring firms. Once again, in 2025, there were dozens of crypto heists hitting several cryptocurrency exchanges and other web3 and decentralized finance (DeFi) projects. The biggest hack by far was the breach at Dubai-based crypto exchange Bybit, where hackers stole ...

  • Nissan says Red Hat breach affected thousands of customers

    December 23, 2025

    Japanese car giant Nissan has confirmed losing sensitive data on thousands of people as a result of a third-party supply chain attack. In a press release, the company said the recent attack on Red Hat affected its customers, as well, as the latter was commissioned by Nissan to develop a customer management system for one of ...

  • US insurance giant Aflac says hackers stole personal and health data of 22.6 million people

    December 23, 2025

    In June, U.S. insurance giant Aflac disclosed a data breach where hackers stole customers’ personal information, including Social Security numbers and health information, without saying how many victims were affected. On Tuesday, the company confirmed it has begun notifying around 22.65 million people whose data was stolen during the cyberattack. In a filing with the Texas ...

  • From cheats to exploits: Webrat spreading via GitHub

    December 23, 2025

    In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced ...

  • Evasive Panda APT poisons DNS requests to deliver MgBot

    December 23, 2025

    The Evasive Panda APT group (also known as Bronze Highland, Daggerfly, and StormBamboo) has been active since 2012, targeting multiple industries with sophisticated, evolving tactics. Our latest research (June 2025) reveals that the attackers conducted highly-targeted campaigns, which started in November 2022 and ran until November 2024. The group mainly performed adversary-in-the-middle (AitM) attacks on specific ...

  • North Korea-backed hackers launch newly detected cyberattack using HWP object linking and embedding code

    December 22, 2025

    A North Korea-linked cyber hacking group appears to have launched a new cyberattack campaign, code-named “Artemis,” that embeds malicious code inside computer files, a report showed Monday. The Genians Security Center (GSC), a South Korean cybersecurity institute, said in a report that it detected the operation believed to have been carried out by APT37, a Pyongyang-backed ...