Malware exploits undocumented Google OAuth endpoint to regenerate Google cookies

CloudSEK researchers have discovered a zero-day exploit that generates persistent Google cookies through token manipulation. The exploit, originally identified by a developer called PRISMA, uses an undocumented Google OAuth endpoint, MultiLogin. This enables hackers to access Google services, even post a user’s password reset. The Lumma Infostealer has been seen using this exploit, with other malware also incorporating it.token_service table of WebData to extract tokens and account IDs of chrome profiles logged in.