ToddyCat APT Group Upgrades Cyber-Espionage Toolkit

The ToddyCat APT group has enhanced its cyber-espionage toolkit to infiltrate corporate email systems by stealing browser data, Outlook mail archives, and OAuth 2.0 access tokens from Microsoft 365. The group has developed a new PowerShell-based variant of TomBerBil, which runs on domain controllers and harvests browser files via SMB. Additionally, they use TCSectorCopy to copy OST files and XstReader to extract email contents. The attackers also target OAuth 2.0 tokens stored in the memory of Office apps to access cloud email.

Latest mentioned: 11-25

Earliest mentioned: 11-22

Sources

securelist.ru gbhackers.com securelist.com securityonline.info thehackernews.com

Also Read

StealC V2 Malware Spread via Blender Files on 3D Sites

Cybersecurity firm Morphisec reported that StealC V2 infostealer is being spread through malicious Blender files on 3D model marketplaces. The malware abuses Blender’s ability to run Python scripts for automation and add-ons. The campaign, active for at least six months, involves implanting malicious .blend files on platforms like CGTrader. Users unknowingly download these files, which execute embedded Python scripts upon opening in Blender. The attack chain begins with a tampered Rig_Ui.py script embedded inside the .blend file, which fetches a loader from a remote domain, downloading a PowerShell stage and ZIP archives containing Python-based stealers. The malware creates LNK files to secure persistence and uses Pyramid C2 channels to retrieve encrypted payloads. StealC V2 now targets more than 23 browsers, over 100 plugins, more than 15 desktop wallets, and a range of messaging, VPN, and mail clients.

11-26Read more →