ToddyCat APT Accessing Organizations Internal Communications of Employees at Target Companies

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

The ToddyCat APT group has developed new ways to access corporate email communications at target organizations.

Email remains the main way companies handle business communications, whether through their own servers like Microsoft Exchange or through cloud services such as Microsoft 365 and Gmail.

Many believe that cloud services provide better protection for company communications. Even when attackers break into a company’s network, email data stays in the cloud and appears safe.

However, the ToddyCat group has found ways around this assumption.

The group has evolved its methods to secretly access internal employee communications at targeted companies. Recent attacks took place during the second half of 2024 and early 2025.

These operations show how the attackers moved from traditional methods to new approaches that help them avoid detection.

TomBerBil’s PowerShell flowchart (Source – Securelist)

Their latest technique uses a user’s browser to steal tokens for the OAuth 2.0 system, which then allows access to corporate email from outside the breached network.

Securelist security researchers identified these new attack methods and documented how ToddyCat changed its approach over time.

The group created tools that work quietly in the background, stealing authentication information and email data without triggering many security alerts.

The researchers found that ToddyCat has been constantly testing and improving its techniques to stay ahead of security teams.

Browser Data Theft Through Network Connections

The group updated its TomBerBil tool with a PowerShell version that works differently from earlier models. This new version runs on domain controllers with high-level access and reaches out to browser files across the network using the SMB protocol.

The tool collects data from Chrome, Edge, and Firefox browsers. It starts by reading a list of computer names from a file and then connects to each one through network shares.

Scheme of using the TCSectorCopy and XstReader tools (Source – Securelist)

The script creates folders to organize the stolen data and copies important browser files including Login Data, which stores saved passwords, Local State with encryption keys, Cookies files, and browsing History.

For Firefox, it grabs similar files like key3.db, signons.sqlite, key4.db, and logins.json from user profile folders. The tool also copies DPAPI encryption keys that Windows uses to protect user data.

The command to launch the tool looks like this:-

powershell -exec bypass -command "c:programdataip445.ps1"

The PowerShell script builds paths to files using this approach:-

$cpath = "{0}c$users" -f $myhost$loginDataPath = $item.FullName + "AppDataLocalGoogleChromeUser DataDefaultLogin Data"copy-item -Force -Path $loginDataPath -Destination $dstFileName

With these stolen keys and user information, attackers can decrypt all the browser data on their own systems. The SMB protocol connections make the theft harder to spot because network file access appears normal in many environments.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.