A cyber-espionage group known as ToddyCat, believed to have ties to China, has been observed exploiting a security flaw in ESET’s software to deliver a new and previously undocumented malware strain called TCESB, according to fresh findings by cybersecurity firm Kaspersky.
The flaw, tracked as CVE-2024-11859, existed in ESET’s Command Line Scanner.
It improperly prioritized the current working directory when searching for the Windows system file “version.dll,” making it possible for attackers to substitute a malicious version of the file and gain control of the software’s behavior through a method known as DLL Search Order Hijacking.
ESET has since released security updates in January 2025 to correct the issue, noting that attackers would still require administrative privileges to take advantage of the bug.
Kaspersky’s research linked this technique to ToddyCat activity discovered in early 2024, where the suspicious “version.dll” file was planted in temporary directories on compromised systems. TCESB, the malware delivered via this method, had not been linked to the group before. It is engineered to evade monitoring tools and security defenses by executing payloads discreetly.
TCESB is based on a modified version of the open-source tool EDRSandBlast, designed to tamper with low-level Windows kernel structures. It specifically targets mechanisms used by security solutions to track system events, effectively blinding them to malicious activity.
To perform these actions, TCESB employs a Bring Your Own Vulnerable Driver (BYOVD) tactic, installing an outdated Dell driver (DBUtilDrv2.sys) that contains a known vulnerability (CVE-2021-36276).
This method grants the malware elevated access to the system, enabling it to bypass protections and alter kernel processes. Similar drivers have been misused in the past, notably by other threat actors like the North Korea-linked Lazarus Group.
Once the vulnerable driver is active, TCESB runs a loop that monitors for a payload file with a specific name.
When the file appears, it is decrypted using AES-128 encryption and executed immediately. However, the payloads themselves were not recovered during analysis.
Security analysts recommend that organizations remain vigilant by tracking the installation of drivers with known weaknesses and watching for kernel-level activity that shouldn’t typically occur, especially in environments not configured for debugging.
The discovery further highlights ToddyCat’s ability to adapt and refine its tools.
The group has been active since at least 2020, frequently targeting entities in the Asia-Pacific region with long-term, data-driven attacks.
