The threat actor "ToddyCat," a Chinese-linked threat actor, is being observed exploiting a vulnerability in ESET security software to spread a newly discovered malware strain known as TCESB, a new strain that has recently been discovered.
In a recent study by cybersecurity company Kaspersky, the group's evolving tactics and expanding arsenal were highlighted in an analysis released by the company. The TCESB software, which consists of a novel addition to ToddyCat's toolkit, has been designed specifically to be able to stealthily execute malicious payloads without being detected by existing monitoring and protection software installed on compromised computers, according to Kaspersky.
The malware's ability to bypass security measures illustrates its sophistication and the calculated approach adopted by its operators. In recent years, TeddyCat has actively participated in several cyber-espionage campaigns primarily targeting Asian organizations, primarily targeting organisations. In at least December 2020, the group began to conduct attacks against high-value entities in the region, and it has gained notoriety for a number of these attacks, including sustained attacks on high-value entities throughout the region.
The intrusions are believed to be intended to gather intelligence, often by compromising targeted environments for a long time. In a comprehensive report released last year, Kaspersky detailed ToddyCat's extensive use of custom and off-the-shelf tools to establish persistent access within victim networks. As part of the report, the group is also described as exfiltrating large volumes of sensitive information on an industrial scale, from a wide variety of organisations in Asia-Pacific. As part of its operations, the group is also able to exfiltrate large amounts of sensitive information.
It was ToddyCat's tactic, technique, and procedure (TTPS) that was significantly evolved by exploitation of a security flaw in ESET software to deliver TCESB. There is an increasing trend among advanced persistent threat (APT) actors to exploit software supply chain vulnerabilities and trusted security tools as a way of infiltration by utilising these vectors. It has recently been reported by cybersecurity researchers that a group of advanced persistent threats (APT) known as ToddyCat, which has been attributed to cyber-espionage operations originating in China, has been involved in a disturbing development.
According to an analysis published by Kaspersky, the threat actor has been exploiting a vulnerability in ESET security software to distribute a newly discovered and previously unknown malware strain dubbed TCESB by exploiting a vulnerability in ESET security software. During this malware, the group has demonstrated significant advances in their offensive capability, and the evolution of its offensive toolkit has been continuous.
The TCESB malware is notable for its stealthy design, allowing it to execute malicious payloads without being detected by endpoint protection or monitoring software, thus demonstrating how it can accomplish its goals. By deploying it through a legitimate security solution, such as ESET, it underscores how sophisticated and strategically planned its actors are. As well as facilitating deeper penetration into targeted systems, the technique also complicates detection and response efforts by blending malicious activity with otherwise trusted processes, which is one of the most important advantages of this technique.
ToddyCat has been active since December 2020 and has conducted a variety of targeted intrusions across a wide range of sectors within Asia. According to Kaspersky, the organisation's operations are mostly intelligence-driven, with a particular focus on maintaining access to high-value targets for data exfiltration. Previous reports have demonstrated that the group maintains persistence within compromised environments by using both custom-built and widely available tools. It is important to note that, during their campaigns, they have been perpetrating large-scale data theft, which has been described by researchers as industrial-scale harvesting, primarily from Asian entities.
As ToddyCat's operations have recently changed, it illustrates the broader trend among nation-state threat actors to weaponise trusted software platforms as a method of delivering TCESB, and marks a tactical shift in ToddyCat's operations. As a result of this incident, concerns have been raised regarding vulnerabilities in the software supply chain, as well as the increasingly sophisticated evasion techniques employed by APT actors to maintain access and achieve long-term strategic goals. Following a responsible disclosure procedure, ESET corrected the identified security vulnerability in January 2025. To mitigate the vulnerability that was exploited by ToddyCat to deploy the TCESB malware, the company released a patch to mitigate it.
The latest security updates for ESET's widely used endpoint protection software are highly recommended for organisations using the system, as they strongly recommend implementing these updates as soon as possible. It remains critical to maintain an effective patch management process to avoid exposure to emerging threats and reduce the risk of compromise by addressing known vulnerabilities. In addition to updating their systems, organisations are advised to implement enhanced monitoring procedures to detect suspicious activity linked to the use of similar tools to detect suspicious activity.
It is Kaspersky's belief that effective detection depends upon monitoring the events that are associated with the installation of drivers that are known to contain vulnerabilities. Furthermore, organizations should be cautious for instances involving Windows kernel debug symbols being loaded onto endpoints, particularly on endpoints where kernel debugging is not a routine or expected process. An anomaly of this kind could be indicative of a compromise and, therefore, requires immediate investigation to prevent further intrusions or data exfiltration.
It has been determined that the TCESB malware is based on an open-source tool called EDRSandBlast, a modified variant of the malware. This adaptation incorporates advanced functionalities that are specifically intended to manipulate kernel structures, which are an integral part of the Windows operating system. It is capable of deactivating notification routines, also called callbacks, as part of its primary capabilities.
It is crucial for security and monitoring tools to work properly that these routines allow drivers to be alerted about specific system events, such as the creation of new processes or the modification of registry keys, to the extent that they will be able to be notified about these events. By enabling these callbacks, TCESB effectively makes security solutions unaware of the presence and activity of the compromised system by disabling them. Using the Bring Your Vulnerable Driver (BYOVD) technique, TCESB can achieve this degree of control.
In this particular instance, the malware can install a legitimate but vulnerable Dell driver by using the Windows Device Manager interface – DBUtilDrv2.sys. There is a security vulnerability affecting the driver known as CVE-2021-36276 that could allow attackers to execute code with elevated privileges by granting access to the driver. There has been a precedent of Dell drivers being exploited for malicious purposes for years.
For example, in 2022, a group of North Korean advanced persistent threat actors, known as the Lazarus Group, exploited another Dell driver vulnerability (CVE-2021-21551 in dbutil_2_3.sys) in a similar BYOVD attack to disable security defences and maintain persistence against malware. When the susceptible driver has been successfully deployed to the operating system, TCESB initiates a continuous monitoring loop in which two-second intervals are checked to see if a payload file with a specific name is present in the current working directory.
Andrey Gunkin, a researcher at Kaspersky, has pointed out that the malware is designed to operate when there is no payload at launch, and that when the malware detects the payload, it deploys an algorithm to decrypt and execute it. While the payload samples themselves were not available during the analysis period, forensic investigation revealed that the payload samples are encrypted with AES-128 and are immediately decoded and executed as soon as they are identified in the specified location, once the AES-128 algorithm has been used.
Cybersecurity experts recommend vigilant system monitoring practices because the TCESB is so stealthy and technically sophisticated. Organizations need to monitor events related to the installation of drivers that may contain security flaws, as well as the loading of kernel debug symbols by Windows in environments where kernel-level debugging is not commonly used. It is important to investigate and investigate these behaviors immediately as they may indicate that advanced threats are trying to undermine the integrity of the system.
A cybercriminal group known for ransomware attacks has decided to stop using those methods and instead focus only on stealing information and demanding money in return. The group, called Hunters International, has rebranded and is now running a new operation.
This group had earlier announced in November 2024 that it would stop its activities. They claimed it was because of low profits and growing attention from police and other authorities. But cybersecurity experts discovered that the group didn’t actually stop – they just changed their approach.
Now, under a new name, World Leaks, the group has returned. Instead of locking people’s files and asking for payment to unlock them, they now secretly steal private data from computers and threaten to release it online unless they’re paid.
According to cybersecurity researchers at Group-IB, the people working with this group are being given a special tool. This software helps them quickly and quietly copy important files from an organization’s systems. It’s believed to be a newer version of a tool they’ve used in the past.
In their earlier version, Hunters International combined two actions: they locked systems (ransomware) and demanded money, and also stole data. But now, they are only stealing data and skipping the system lockout part, which brings less risk and may be harder for authorities to detect.
Hunters International first appeared in late 2023 and was suspected to be connected to an older cyber gang called Hive. Their malware could attack many types of computer systems, including those used by businesses, governments, and servers for virtual machines.
Since then, the group has been behind over 280 attacks on organizations across the globe. They’ve gone after major companies, government bodies, hospitals, and even defense-related firms. In one serious case, they threatened to release personal health records of over 800,000 patients if they weren’t paid.
The group has been targeting companies of all sizes. Experts have seen ransom demands vary, sometimes reaching millions, depending on how large or important the organization is.
Experts say that this shift shows how cybercriminals are always changing tactics to stay ahead. With ransomware becoming riskier and less profitable, many groups may now turn to stealing data as their main method.
To stay safe, organizations should improve their security systems, watch for unusual access, and take steps to protect sensitive data before it’s too late.
The hackers have attacked over 140 Netskope customers situated in Asia, North America, and Southern Europe throughout different segments, driven by the financial and tech sectors.
Netskope has been examining different phishing and malware campaigns targeting users who look for PDF documents online. Hackers use tricky ways within these PDFs to resend victims to malicious websites or lure them into downloading malware. In the newly found campaign, they used fake CAPTCHAs and Cloudflare Turnstile to distribute the LegionLoader payload.
The infection begins with a drive-by download when a target looks for a particular document and is baited to a malicious site.
The downloaded file contains a fake CAPTCHA. If clicked, it redirects the user via a Clloudfare Turnstile CAPTCHA to a notification page.
In the last step, victims are urged to allow browser notifications.
When a user blocks the browser notification prompt or uses a browser that doesn’t support notifications, they are redirected to download harmless apps like Opera or 7-Zip. However, if the user agrees to receive browser notifications, they are redirected to another Cloudflare Turnstile CAPTCHA. Once this is done, they are sent to a page with instructions on how to download their file.
The download process requires the victim to open the Windows Run window (win + r) and put content copied to the clipboard (ctrl + v), and “ execute it by pressing enter (we described a similar approach in a post about Lumma Stealer),” Netscope said. In this incident, the command in the clipboard uses the “ command prompt to run cURL and download an MSI file.” After this, the “command opens File Explorer, where the MSI file has been downloaded. When the victim runs the MSI file, it will execute the initial payload.”
To avoid detection, the campaign uses a legitimate VMware-signed app that sideloads a malicious DLL to run and load the LegionLeader payload. Later, a new custom algorithm is used to remove the LegionLeader shellcode loader.
In the final stage, the hackers install a malicious browser extension that can steal sensitive info across different browsers, such as Opera, Chrome, Brave, and Edge. Netscope warns of an alarming trend where hackers are targeting users searching for PDF docs online via sophisticated tactics to install malware.