ToddyCat APT Group Upgrades Cyber-Espionage Toolkit

The ToddyCat APT group has enhanced its cyber-espionage toolkit to infiltrate corporate email systems by stealing browser data, Outlook mail archives, and OAuth 2.0 access tokens from Microsoft 365. The group has developed a new PowerShell-based variant of TomBerBil, which runs on domain controllers and harvests browser files via SMB. Additionally, ToddyCat uses TCSectorCopy to steal Outlook OST files and SharpTokenFinder to extract OAuth 2.0 tokens from memory. These techniques allow the group to access corporate emails outside the monitored environment, posing a significant threat to organizations using hybrid or cloud-based email platforms.