New Tools and Techniques of ToddyCat APT

Nov. 21, 2025, 10:35 p.m.

Description

The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools allow the attackers to bypass security monitoring and access email data both on-premises and in the cloud. The group's tactics include using SMB to remotely access files, dumping process memory, and searching for access tokens. Detection recommendations are provided for each technique.

External References

https://securelist.com/toddycat-apt-steals-email-data-from-outlook/118044/
https://otx.alienvault.com/pulse/69207948196fee16fcb9b0af
Tags
apt
tomberbil
powershell
data theft
browser
oauth
outlook
2025-11-21
email
xstreader
tcsectorcopy
sharptokenfinder

Date

  • Created: Nov. 21, 2025, 2:38 p.m.
  • Published: Nov. 21, 2025, 2:38 p.m.
  • Modified: Nov. 21, 2025, 10:35 p.m.

Attack Patterns

  • ToddyCat