The sophisticated hacking outfit known as the ToddyCat Advanced Persistent Threat (APT) group has developed novel techniques to infiltrate corporate email communications, posing a significant threat to organizations. These attacks, observed primarily in the latter half of 2024 and early 2025, demonstrate a worrying evolution in the group’s methods, moving beyond conventional intrusion tactics to achieve more clandestine access to sensitive employee correspondence.
Email remains the primary backbone of business communication for most companies, whether hosted on-premises via servers like Microsoft Exchange or through cloud-based platforms such as Microsoft 365 and Google Workspace. While cloud services are often perceived as inherently more secure, even when a network is breached, the assumption that email data remains safely ensconced in the cloud is now being challenged by groups like ToddyCat.
ToddyCat APT Exploits Browser Vulnerabilities for Email Access
Researchers at Securelist have identified that the ToddyCat APT group is now leveraging a user’s web browser to illicitly obtain OAuth 2.0 tokens. These tokens are critical for authentication and, once compromised, grant attackers the ability to access corporate email systems from external networks, sidestepping on-premises security perimeters.
This strategic shift highlights the group’s continuous adaptation and refinement of their tactics, techniques, and procedures (TTPs) to evade detection by security teams. The observed operations underscore the increasing sophistication of cyber threats targeting organizational communications, emphasizing the need for enhanced security measures beyond traditional network defenses.
Browser Data Theft Through Network Connections
A key component of ToddyCat’s updated methodology involves a new PowerShell version of their previously known tool, dubbed “TomBerBil.” This iteration operates differently from its predecessors, allowing it to run on domain controllers with elevated privileges. It then uses the Server Message Block (SMB) protocol to establish network connections and access browser files across the compromised network.
The TomBerBil tool is designed to extract valuable data from popular browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox. The process begins by reading a list of computer names, establishing network shares connections to each, and systematically exfiltrating critical browser data. This includes login credentials, encryption keys, cookies, and browsing history.
Crucially, the script also targets and copies Data Protection API (DPAPI) encryption keys, which are integral to Windows’ security mechanisms for protecting user data. With these stolen keys and user authentication information, attackers gain the capability to decrypt the exfiltrated browser data on their own controlled systems. The use of the SMB protocol for these network file access operations makes the theft particularly difficult to detect, as such activities can often appear as legitimate network traffic within many corporate environments.
The specific command to initiate this PowerShell script execution is typically as follows:
powershell -exec bypass -command "c:programdataip445.ps1"The PowerShell script constructs file paths in a manner that facilitates widespread data collection across network endpoints. For instance, it uses a construct such as:
$cpath = "{0}c$users" -f $myhost
$loginDataPath = $item.FullName + "AppDataLocalGoogleChromeUser DataDefaultLogin Data"
copy-item -Force -Path $loginDataPath -Destination $dstFileNameThe ongoing evolution of ToddyCat’s TTPs suggests that organizations must remain vigilant and continuously update their security postures. The group’s ability to bypass traditional security measures by targeting browser data and leveraging cloud authentication mechanisms like OAuth 2.0 indicates a need for more proactive and layered security strategies, focusing on endpoint detection and response, as well as robust identity and access management.