Skip to main content
LiMP VPN
All news

Hackers Read Gmail Without a Password — STRD Attack

Hackers Read Gmail Without a Password — STRD Attack

In short: Kaspersky researchers have exposed a new way to quietly read corporate Gmail — without stealing a single password. A tool called Umbrij, used by the ToddyCat group, hijacks the Google session already open in your browser and pulls a fresh OAuth token, granting the attacker access to your mail, Drive, Calendar and contacts. Because there is no login prompt and no failed-password alert, the intrusion is nearly invisible. Two-factor authentication alone does not stop it — the defence is endpoint hygiene and tight control over what has access to your account.

What happened

At the end of June 2026, Kaspersky's GReAT team disclosed a technique they named STRD — Shadow Token via Remote Debug, spotted in the activity of the APT group ToddyCat. Instead of phishing for a password, the attackers abuse a session that is already authenticated: if you are logged into Google in a Chromium-based browser (Chrome, Edge and others), a purpose-built tool quietly requests a new access token on your behalf.

This is not the first time criminals have gone after the tokens behind your login rather than the password itself. We have already covered how attackers abuse Microsoft's own sign-in flow in our report on device-code phishing — STRD is the same idea aimed at Google accounts, and it needs no interaction from the victim at all.

How the STRD attack works

According to Kaspersky, the tool used to carry this out is a .NET library called Umbrij, obfuscated to evade detection and delivered to Windows machines through DLL sideloading via legitimate signed files. Once running, the chain is roughly this:

The tool copies the browser profile with its saved cookies and active Google session, then launches Chrome or Edge in the background with a remote-debugging port enabled. It connects to that running browser over the DevTools protocol and, because you are still logged in, walks through the OAuth consent flow automatically — selecting the account and approving the permission prompts without any password entry. The captured authorisation code is exchanged for an OAuth token that gives lasting API access to Gmail and the rest of your Google services. To blend in, the requests reuse identifiers from a legitimate Google Workspace migration tool.

The result is access that looks, to Google's servers, like a normal authorised app — which is exactly why it is so hard to notice.

Why this is dangerous for your data

Email is the master key to your digital life. Whoever can read your inbox can trigger password resets for other services, harvest invoices, contracts and personal correspondence, study your contacts to craft convincing follow-up scams, and quietly copy years of history — all without tripping the alarms you rely on. There is no "new sign-in" notification, because from the account's point of view nothing new signed in.

And the attacker never needed your password, so measures built around the password — even a strong, unique one — do not block this path on their own. The danger compounds when other data about you has already leaked, as in the billion-record infostealer leak we reported: the more the criminals already know, the more targeted the intrusion.

How to protect yourself

Audit what has access to your account. In your Google Account under Security → "Third-party apps with account access," review and revoke anything you do not recognise or no longer use. This is where stolen-token access shows up, and pruning it regularly limits the damage.

Keep two-factor authentication on — but do not rely on it alone. 2FA still blocks classic password theft and is essential; STRD simply sidesteps it, which is why it must be paired with the other steps here. Our guide on protecting your account from hijacking walks through the full checklist.

Protect the device itself. STRD runs on a machine that is already compromised, so the real front line is endpoint security: keep the OS and browser updated, install software only from official sources, run reputable protection, and be wary of unexpected attachments and installers. Sign out of your Google account on shared or work-shared computers instead of leaving the session live.

Use unique passwords in a manager. If mail access does lead to password-reset attempts elsewhere, unique credentials in a password manager stop one breach from cascading into all your accounts.

Encrypt your traffic on untrusted networks. A VPN does not stop token theft on an already-infected PC — only endpoint security does that. But it closes a different door: on public or shared Wi-Fi it routes your traffic through an encrypted tunnel, so others on the same network cannot intercept the logins and sessions you send to mail, banking or work portals. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more security news on our blog.

Am I affected if I am not a corporate target?

ToddyCat's campaigns focus on organisations, and the specific tool targets Windows. But the underlying weakness — a live browser session that can be turned into a fresh token by anything running on your machine — is general. Any account you stay permanently logged into is exposed if your device is compromised. The takeaways apply to everyone: keep your device clean, log out of sensitive accounts on shared computers, and audit account access periodically.

Sources

This report is based on the research disclosure from Kaspersky GReAT (Securelist), June 2026, and technical coverage by Xakep and iXBT, June–July 2026.

Hackers Read Gmail Without a Password — STRD Attack