ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • UK: NHS GP software supplier hit by cyber attack

    December 19, 2025

    DXS International which provides healthcare technology for the NHS has disclosed a cyber attack, which has led to data being stolen. The UK-based company provides software that helps to reduce costs for doctors and primary care physicians and is used by around 2,000 GPs which oversee the care of around 17 million patients. In a filing ...

  • Denmark blames Russia for cyberattacks on water utility and local government websites

    December 18, 2025

    The Danish government has accused Russia of being behind two “destructive and disruptive” cyber-attacks in what it describes as “very clear evidence” of a hybrid war. The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyber-attack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks ...

  • Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 exploited in the wild

    December 18, 2025

    A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the ...

  • From Linear to Complex: An Upgrade in RansomHouse Encryption

    December 17, 2025

    RansomHouse is a ransomware-as-a-service (RaaS) operation run by a group that we track as Jolly Scorpius. Recent samples of the associated binaries used in RansomHouse operations reveal a significant upgrade in encryption. This article explores the upgrade of RansomHouse encryption and the potential impact for defenders. Jolly Scorpius uses a double extortion strategy. This strategy combines ...

  • Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports

    December 17, 2025

    In March 2025, we discovered Operation ForumTroll, a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. Kaspersky researchers previously detailed the malicious implants used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn’t stop at their ...

  • Hacking group says it’s extorting Pornhub after stealing users’ viewing data

    December 16, 2025

    The hacking group Scattered Lapsus$ Hunters, which includes members of a gang known as ShinyHunters, said it is attempting to extort porn site Pornhub, after claiming to have stolen personal information belonging to the website’s premium members. On Friday, Pornhub confirmed it was among several companies affected by an earlier breach at the widely used web ...