While ToddyCat has been active since at least 2020, typically sticking to stealing browser cookies and credentials, this shift toward siphoning entire Outlook archives marks a significant escalation in its playbook. The group previously targeted high-profile organizations in Asia and Europe by hacking into internet-facing Microsoft Exchange servers.
From browsers to domain controllers
In incidents observed between May and June 2024, Kaspersky disclosed detecting a new version of the ToddyCat toolkit “TomBerBill,” written in PowerShell, operating directly from domain controllers under privileged user accounts.
This update expanded the scope of the attack from targeting Chrome and Edge to include Firefox browser data. The script used a scheduled “run” task, created a local directory, and then reached out (over SMB) to connect to user-host directories across the network. Once connected, it copied browser files (cookies, saved credentials, history, etc) for offline analysis.