Attackers behind the ToddyCat advanced persistent threat (APT) toolkit have adapted to stealing Outlook mail data and Microsoft 365 Access tokens.
According to Kaspersky Labs’ findings, the APT group has refined its toolkit in late 2024 and early 2025 to capture not only browser credentials, as previously seen, but also victims’ actual email archives and access tokens.
The Kaspersky report describes how the group compromised corporate environments (on-premises Exchange or cloud-based mail) and then used clever post-exploit methods to exfiltrate email correspondence, without triggering the usual alarms.
While ToddyCat has been active since at least 2020, typically sticking to stealing browser cookies and credentials, this shift toward siphoning entire Outlook archives marks a significant escalation in its playbook. The group previously targeted high-profile organizations in Asia and Europe by hacking into internet-facing Microsoft Exchange servers.
From browsers to domain controllers
In incidents observed between May and June 2024, Kaspersky disclosed detecting a new version of the ToddyCat toolkit “TomBerBill,” written in PowerShell, operating directly from domain controllers under privileged user accounts.
This update expanded the scope of the attack from targeting Chrome and Edge to include Firefox browser data. The script used a scheduled “run” task, created a local directory, and then reached out (over SMB) to connect to user-host directories across the network. Once connected, it copied browser files (cookies, saved credentials, history, etc) for offline analysis.
By capturing raw browser data, including Windows DPAPI encryption keys, ToddyCat could decrypt saved credentials and potentially reuse them to escalate access.
This marks the second major pivot in ToddyCat’s tooling this year, following an April 2025 campaign where the group abused a vulnerability in ESET’s antivirus engine to execute malicious modules through the product’s trusted processes.
Outlook in the Crosshairs
Another evolution involves accessing actual mail data. ToddyCat deployed a tool named TCSectorCopy–a C++ utility that opens the disk as a read-only device and copies Outlook’s offline storage files (OST) sector by sector, bypassing any file-lock mechanisms that Outlook may enforce.
Once OST files are extracted, they are fed into XstReader — an open-source viewer capable of parsing OST/PST mail archives — allowing the attackers to access the full content of corporate correspondence. In environments that use cloud mail (like Microsoft 365), the new ToddyCat attempts to harvest OAuth 2.0 access tokens.
Attackers can extract OAuth 2.0 tokens from a victim’s browser, allowing them to access corporate email even when they’re no longer inside the compromised network, a Kaspersky researcher said in the report.
In at least one case, security software blocked their token-dumping attempt, researchers noted. Undeterred, the attackers switched to using a memory-dump tool (ProcDump from Sysinternals) to extract the tokens straight from the running Outlook process.
The report provides a set of malicious filenames, paths, and directories as indicators of compromise (IOCs) to support detection efforts. ToddyCat’s shift toward mail theft fits a broader trend seen in earlier campaigns, where the group used custom backdoors, covert traffic tunnels, and long-term espionage tactics against government and military networks across Europe and Asia.
No Responses