Shadow Token via Remote Debug: OAuth mailbox hijack
🔒 Kaspersky researchers describe a covert technique named Shadow Token via Remote Debug (STRD) used by the ToddyCat APT to gain persistent access to Google Workspace mailboxes without user interaction. The attackers deploy malware (Umbrij) that duplicates a browser profile, launches a headless debugging browser, and programmatically authorizes a third-party OAuth app to obtain an access token. This approach can survive password resets and evades endpoint detection when properly executed.
