ToddyCat Deploys New Tools to Steal Outlook Emails and Microsoft 365 Tokens
Summary
Hide ▲
Show ▼
ToddyCat, an APT group active since 2020, has adopted new methods to steal corporate email data and Microsoft 365 access tokens. The group uses custom tools like TCSectorCopy and SharpTokenFinder to bypass security measures and extract sensitive information from Outlook OST files and memory. ToddyCat targets organizations in Europe and Asia, employing tools such as Samurai, TomBerBil, and TCESB to maintain access and exfiltrate data. The group has been observed using a PowerShell variant of TomBerBil to extract data from Mozilla Firefox and other browsers, leveraging domain controllers and SMB protocols. Additionally, they use TCSectorCopy to copy OST files and XstReader to extract email contents. For Microsoft 365 tokens, they employ SharpTokenFinder and ProcDump to bypass security software. These tactics highlight ToddyCat's evolving techniques to access corporate correspondence within compromised infrastructures.
Timeline
-
25.11.2025 13:36 1 articles · 23h ago
ToddyCat Adopts New Tools for Email and Token Theft
ToddyCat has been observed using TCSectorCopy to steal Outlook OST files and SharpTokenFinder to extract Microsoft 365 tokens. The group's use of TomBerBil to extract data from browsers via SMB and the exploitation of CVE-2024-11859 demonstrate their evolving tactics. The group's activities highlight their focus on accessing corporate email data and maintaining persistent access to compromised infrastructures.
Show sources
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36
Information Snippets
-
ToddyCat uses TCSectorCopy to steal Outlook OST files by copying them sector by sector.
First reported: 25.11.2025 13:361 source, 1 articleShow sources
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36
-
The group employs SharpTokenFinder to extract Microsoft 365 JWTs from memory.
First reported: 25.11.2025 13:361 source, 1 articleShow sources
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36
-
TomBerBil, a PowerShell variant, extracts data from Mozilla Firefox and other browsers via SMB.
First reported: 25.11.2025 13:361 source, 1 articleShow sources
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36
-
ToddyCat has been active since 2020, targeting organizations in Europe and Asia.
First reported: 25.11.2025 13:361 source, 1 articleShow sources
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36
-
The group previously exploited CVE-2024-11859 in ESET Command Line Scanner to deliver TCESB malware.
First reported: 25.11.2025 13:361 source, 1 articleShow sources
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36