Summary:
A Chinese-affiliated threat actor known as ToddyCat has been observed exploiting a vulnerability in ESET's Command Line Scanner to deploy a newly discovered malware strain called TCESB. This threat group, active since at least December 2020, has historically targeted government and telecom entities across the Asia-Pacific region, often conducting cyber-espionage operations involving long-term persistence and large-scale data exfiltration. In early 2024, Kaspersky researchers identified malicious activity tied to ToddyCat involving a suspicious DLL file—version.dll—located in temporary directories across multiple compromised devices. The 64-bit TCESB malware was loaded through a technique called DLL Search Order Hijacking, which takes advantage of the way some applications prioritize directories when searching for DLL files.


In this case, the flaw (tracked as CVE-2024-11859, CVSS score: 6.8) in ESET's command line utility caused it to insecurely load the DLL by checking the current directory before system paths. This allowed attackers with existing administrator privileges to execute their malicious version of version[.]dll instead of the legitimate Windows version located in the system32 directory. ESET addressed this vulnerability in late January 2025 after responsible disclosure, releasing patched versions across its consumer, business, and server security product lines for Windows.


The TCESB malware is an advanced variant of an open-source tool known as EDRSandBlast, which is designed to evade endpoint detection by disabling kernel notification routines—mechanisms that alert security tools to events such as process creation or registry modification. TCESB accomplishes this by using a known tactic called Bring Your Own Vulnerable Driver, in which attackers load a legitimate but flawed driver to disable security protections. In this campaign, ToddyCat deployed the vulnerable DBUtilDrv2.sys driver from Dell via the Windows Device Manager. This driver is susceptible to a privilege escalation flaw (CVE-2021-36276) and has been abused before, including in earlier attacks by North Korea's Lazarus Group using similar Dell drivers.


Security Officer Comments:
Once the driver is installed, TCESB enters a loop, checking every two seconds for an AES-128 encrypted payload with a specific name in the current working directory. If the payload appears, the malware decrypts and executes it immediately. Although the actual payloads used in this operation were not recovered, the method allows ToddyCat to deploy second-stage malware stealthily. Kaspersky emphasizes the importance of monitoring for installation of known vulnerable drivers and unusual attempts to load Windows kernel debug symbols, especially on systems where kernel debugging is not expected. These behaviors can signal the presence of stealthy post-exploitation tools like TCESB.


Suggested Corrections:
To detect the activity of such tools, it's recommended to monitor systems for installation events involving drivers with known vulnerabilities. Lists of such drivers can be found on the loldrivers project website, for example. It's also worth monitoring events associated with loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected. We also advise using operating system tools to check all loaded system library files for the presence of a digital signature.

ESET prepared fixed builds of its consumer, business and server security products for the Windows operating system and recommends upgrading to these or scheduling the upgrades in the near future. The fixed builds are available in the Download section of www.eset.com or via ESET Repository.

• ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium, ESET Security Ultimate 18.1.10.0 and later
• ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 12.0.2045.0, 11.1.2059.0 and later from the respective version family
• ESET Small Business Security and ESET Safe Server 18.1.10.0 and later
• ESET Server Security for Windows Server (formerly File Security for Microsoft Windows Server) 11.1.12009.0 and later
• ESET Mail Security for Microsoft Exchange Server 11.1.10011.0, 11.0.10010.0, 10.1.10017.0 and later from the respective version family
• ESET Security for Microsoft SharePoint Server 11.1.15003.0, 11.0.15007.0, 10.0.15008.0 and later from the respective version family

Link(s):
https://support.eset.com/en/ca8810-...nerability-in-eset-products-for-windows-fixed

https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/