Listen to this Post

Introduction
The cyber‑threat landscape just received a wake‑up call thanks to a fresh alert from the security community. Researchers have uncovered that the advanced persistent threat group known as ToddyCat is deploying a new variant of its toolkit—dubbed TomBerBil—using PowerShell to steal browser credentials, DPAPI keys, Outlook OST files, and Microsoft 365 tokens. In a world where hybrid work, cloud services and remote access are the norm, the implications of such a broad‑spectrum campaign are unsettling. In this piece we will unpack the key findings, then dig into what the world of enterprise cybersecurity should be considering now.
Key Findings (Original Summary)
Researchers monitoring ToddyCat’s activity observed the group using a PowerShell‑based attack vector that centres on a newly identified TomBerBil variant. This malware operates by harvesting sensitive data including browser‑stored credentials, DPAPI encryption keys (used in Windows to protect secrets such as stored passwords and certificates), Outlook OST files (which are offline copies of mailbox data) and Microsoft 365 authentication tokens. The technique of token theft is especially dangerous because unauthorized tokens can allow attackers to impersonate users or access cloud resources without needing a password. The collection method is reported to leverage SMB‑based file collection and memory dumps, meaning the malware can move laterally or escalate privileges internally. The campaign combines typical credential harvesting with more advanced collection of mail‑related artefacts and token‑based attack tools. The end result is that organisations using M365 and relying on Windows environments face a multi‑layer threat that can bypass traditional password‑only defences. While full technical details of the variant remain limited at present—such as exact propagation, persistence methods or C2 communications—the overall pattern signals a tightening of the threat actor’s toolkit, blending credential theft with cloud‑token hijacks and local data exfiltration.
What Undercode Say:
Context on ToddyCat’s Evolution
ToddyCat has steadily grown from a regional threat to a globally relevant adversary. Historically known for targeted intrusion campaigns in Southeast Asia, this evolution of toolkit underscores that even niche APT groups are pivoting to cloud‑centric tactics. The TomBerBil variant reflects a strategic pivot from simply stealing credentials to harvesting wider “identity assets” (tokens, OST files, DPAPI keys) which grant persistence and cloud‑access opportunities.
Why This Matters for Organisations
When credentials alone are stolen, organisations can rotate passwords or enforce MFA to cut off access. But when attackers steal tokens or DPAPI keys, they essentially bypass many controls. Tokens can allow session hijacking; DPAPI keys can help decrypt stored secrets; OST files provide mailbox access offline. The use of SMB-based file collection means attackers are not only going after the endpoints but also traversing network shares—an older technique, yet evidently still effective. This hybrid “traditional network + modern cloud” vector is especially dangerous for enterprises adopting Microsoft 365 and hybrid infrastructures.
Implications for Defences
This attack scenario means that security teams cannot rely solely on endpoint antivirus or password policies. They must assume that once inside, adversaries will attempt to gather credentials, tokens and archives of mail data. Monitoring memory dumps, checking for suspicious PowerShell activity (especially converting memory to file), auditing SMB traffic for unusual collection, looking for anomalous M365 token issuance or use—all become priorities. Detection must move from perimeter‑only to identity‑centric and lateral‑movement aware.
Strategic Takeaway
The real lesson here is that identity is now the new perimeter. Attackers have recognised that to sustain access in a cloud‑centric world they must neutralise tokens and encryption keys, not just passwords. Organisations that still treat tokens or mailbox data as “lower priority” must reassess. This is not just about cleaning up after a password leak—it is about blocking adversaries who already hold credentials and are reaching deeper. For managed detection and response teams the target list now includes tokens, OST files and DPAPI keys—items that may have been ignored until now.
Prediction
🚨 We expect that within the next 6–12 months, more threat groups (both state‑affiliated and financially motivated) will adopt token‑theft modules similar to TomBerBil. As cloud authentication becomes increasingly common, threat actors will further blend credential theft with cloud‑token harvesting, making identity‑based controls and activity‑monitoring central to defence. Organisations that do not evolve to identity‑centric detection will face wider‑scale compromises.
Fact Checker Results
✅ The alert about ToddyCat deploying TomBerBil via PowerShell is consistent with recent signals in enterprise security intelligence.
❌ Specific details such as full propagation methods, persistence mechanisms and attribution confidence remain limited or publicly unverified.
✅ The emphasis on credentials, DPAPI keys, OST files and M365 tokens aligns with the trend of adversaries targeting identity artefacts rather than just systems.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




