ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Google Releases Security Update for Chrome

    September 18, 2025

    Google has released version 140.0.7339.185/.186 for Chrome for Windows and Mac and 140.0.7339.185 for Chrome for Linux, which will roll out over the coming days/weeks. The updates address four high severity vulnerabilities, including CVE-2025-10585, which has an exploit in the wild. CVE-2025-10585 – Type Confusion in V8 – High severity CVE-2025-10500 – Use after free in Dawn ...

  • “Shai-Hulud” Worm Compromises npm Ecosystem in Supply Chain Attack

    September 17, 2025

    Palo Alto Networks Unit 42 is investigating an active and widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem. A novel, self-replicating worm, which is currently being tracked as “Shai-Hulud,” is responsible for the compromise of over 180 software packages. This attack represents a significant evolution in supply chain threats, leveraging automated propagation ...

  • Samsung patches zero-day security flaw used to hack into its customers’ phones

    September 16, 2025

    Samsung says it has fixed a zero-day security vulnerability that is being used to hack into its customers’ phones. The phone maker said the security flaw, discovered in a software library for displaying images on Samsung devices, allows hackers to remotely plant malicious code on Samsung devices running Android 13 through the most recent version, Android ...

  • RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT

    September 16, 2025

    RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final ...

  • Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers

    September 15, 2025

    In this article, Kaspersky researchers explore how the Model Context Protocol (MCP) — the new “plug-in bus” for AI assistants — can be weaponized as a supply chain foothold. The researchers start with a primer on MCP, map out protocol-level and supply chain attack paths, then walk through a hands-on proof of concept: a seemingly legitimate ...

  • Another massive DDoS attack that reached 1.5 Bpps has been thwarted

    September 13, 2025

    A distributed denial-of-service attack targeting a DDoS mitigation vendor somewhere in Western Europe has been spotted and mitigated by FastNetMon. The firm says the attack peaked at a massive 1.5 billion packets per second, making it one of the largest packet-rate floods confirmed to date. FastNetMon says that the traffic was mainly a UDP flood sourced ...