ToddyCat Expands Toolset With PowerShell TomBerBil for Microsoft 365 Token Theft
December 5th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring an ongoing campaign that uses a new PowerShell-based variant of the TomBerBil toolset linked to the ToddyCat APT group. First observed between May and June 2024 and later documented through 2025, this activity combines browser data harvesting, DPAPI key theft, Outlook data extraction, and OAuth 2.0 token hijacking to maintain persistent access to Microsoft 365 environments. Using privileged accounts, attackers deploy TomBerBil on domain controllers to remotely collect browser profile data and encryption keys to perform offline decryption of credentials and session cookies. Simultaneously, ToddyCat operators dump Microsoft 365 application memory using tools such as SharpTokenFinder and ProcDump to extract valid OAuth 2.0 access tokens that can be used to retrieve mailbox contents directly from Microsoft 365 cloud services without reauthentication, effectively bypassing MFA prompts.
Technical Details
Attack Type: Credential and token theft (browser-data harvesting, DPAPI key exfiltration, OAuth 2.0 session hijacking)
Severity: High.
Components Affected: User browsers (Chrome, Edge, Firefox), Microsoft 365 cloud services (Outlook mail APIs), Domain controllers (TomBerBil execution point).
Attack Chain:
Deployment of PowerShell TomBerBil Variant:
ToddyCat deploys a PowerShell version of TomBerBil to domain controllers, executed via a scheduled task (e.g., ip445.ps1).
Unlike earlier C++/C# builds, this variant is optimized for remote harvesting rather than local execution.
Remote Browser Data Collection via SMB:
TomBerBil reads a list of hostnames and connects to administrative shares (e.g., \\hostname\C$) to copy browser profile directories, including:
Chrome / Edge: Login Data, Cookies, Local State, Browsing history
Firefox: logins.json, signons.sqlite, key3.db/key4.db
Windows DPAPI Key Material: %AppData%\Microsoft\Protect\, %LocalAppData%\Microsoft\Credentials\
These keys, combined with the victim’s SID and password, allow attackers to decrypt browser passwords, cookies, and session tokens offline.
Storage & Processing of Harvested Data:
The scheduled PowerShell task creates working directories (e.g., under C:\ProgramData) and stores collected browser files and DPAPI keys for later offline decryption.
Outlook Data Theft (OST Cloning):
ToddyCat also abuses tools such as TCSectorCopy and XstReader to clone and parse Outlook OST files using raw disk access, resulting in a complete extraction of mailbox content and attachments.
OAuth 2.0 Token Extraction from Microsoft 365 Processes:
For cloud-mail access, attackers dump memory from Microsoft 365 applications using:
SharpTokenFinder (automated memory scraping for JWT-like strings)
ProcDump (manual fallback when the automated tool is blocked)
Tokens recovered from OUTLOOK.EXE and similar processes can be used to retrieve mailbox content directly from Microsoft 365 cloud mail APIs, bypassing authentication flows and many visibility controls.
Impact
Long-term email access: Stolen OAuth tokens permit direct cloud API access to Microsoft 365 mailboxes without credential prompts or MFA.
Stealthy credential theft: Browser profiles and DPAPI keys allow decryption of stored credentials and session cookies without generating login events.
Complete mailbox compromise: OST cloning exposes full mailbox content, including historical email, attachments, and sensitive internal correspondence.
Regulatory exposure: Unauthorized access to regulated or personal data may trigger incident-reporting and compliance obligations (e.g., GDPR, HIPAA).
Detection Method
Endpoint & Process Monitoring:
Look for PowerShell execution of unknown .ps1 scripts (e.g., ip445.ps1).
Monitor for memory-dump utilities (e.g., ProcDump) targeting Microsoft 365 processes.
Flag unusual scheduled tasks creating temporary directories or invoking PowerShell with bypass flags.
SMB / File-Share Monitoring:
Detect domain controllers accessing browser-profile paths on workstations:
C:\Users\<User>\AppData\Local\Google\Chrome\User Data\
C:\Users\<User>\AppData\Roaming\Mozilla\Firefox\
%AppData%\Microsoft\Protect\
%LocalAppData%\Microsoft\Credentials\
Event sources: Windows Event ID 5145 (file-share access)
Raw Disk Access / OST Theft:
Monitor Sysmon Event ID 9 (RawAccessRead) for attempts to read .ost files directly from disk.
Indicators of Compromise
Type | Indicator |
Hash | 55092E1DEA3834ABDE5367D79E50079A (ip445.ps1) |
Hash | 2320377D4F68081DA7F39F9AF83F04A2 (xCopy.exe) |
Hash | B9FDAD18186F363C3665A6F54D51D3A0 (stf.exe) |
File | C:\programdata\ip445.ps1 |
File | C:\Windows\Temp\xCopy.exe |
File | C:\Windows\Temp\XstExport.exe |
File | c:\windows\temp\stf.exe |
File | O:\Projects\Penetration\Tools\SectorCopy\Release\SectorCopy.pdb |
Process | ProcDump targeting Outlook or Microsoft 365 apps |
Recommendations
Revoke suspect OAuth tokens: Immediately invalidate potentially compromised Microsoft 365 access tokens through PowerShell or Microsoft Graph administrative controls.
Restrict SMB access: Limit administrative shares, enforce least privilege, and monitor DC-to-workstation SMB traffic.
Enhance monitoring: Prioritize Sysmon/EDR alerts for memory-dump activity, scheduled-task creation, and access to DPAPI-protected directories.
Update and harden endpoints: Ensure browsers, Microsoft 365 clients, and endpoint protections are fully patched.
Isolate compromised hosts: Quarantine affected systems, validate backups, and ensure clean restoration and recovery points.
Conclusion
ToddyCat’s evolving toolset demonstrates a deliberate shift toward stealth, persistence, and cloud-abuse tradecraft. By combining browser-data harvesting, OST extraction, and OAuth token hijacking, attackers can maintain long-term access to sensitive email infrastructure with minimal detection. To mitigate associated risks, we urge organizations to prioritize revoking compromised tokens, tightening SMB and privilege boundaries, while also strengthening monitoring across authentication tokens, browser data, and email storage systems.