- Kaspersky observed a threat actor called ToddyCat abusing a bug in ESET’s cybersecurity solution
- The group used a now-patched flaw to deploy a piece of malware called TCESB
- Users are advised to patch their systems and monitor for threats
A component of ESET’s endpoint protection solution was being abused to launch stealthy malware on Windows devices, researchers are saying.
In an in-depth report published earlier this week, security researchers from Kaspersky said they saw a critical vulnerability in ESET’s command-line scanner being abused to deploy a tool named TCESB.
The vulnerability, now identified as CVE-2024-11859, allowed attackers to hijack the loading process of system libraries by abusing how the ESET scanner usually loads them. Instead of retrieving legitimate libraries from system directories, the scanner would first look in its current working directory, which enabled a classic “bring your own vulnerable driver” approach.
ToddyCat
The group behind the attack is dubbed ToddyCat. It is an advanced persistent threat (APT) group, first observed in 2021. It is known for targeting government and military organizations, diplomatic entities, and critical infrastructure. Its targets are mostly located in Asia and Europe, and there are some indications that it might either be Chinese, or China-aligned. This was not confirmed, though.
In this instance, the researchers did not discuss the victims, their industry, or location. However, it was said that ToddyCat was able to place a malicious variant of version.dll alongside ESET’s scanner, which forced the endpoint protection tool to run the custom malware and thus bypass standard security detection mechanisms.
The TCESB malware is a modified version of an open-source tool named EDRSandBlast, Kaspersky further explained, saying that it includes features that change the OS kernel structures and can disable callbacks (notification routines).
ESET patched the flaw in January 2025 following responsible disclosure. Organizations using this popular endpoint protection solution are urged to update their systems as soon as possible, and closely monitor their endpoints:
“To detect the activity of such tools, it’s recommended to monitor systems for installation events involving drivers with known vulnerabilities,” Kaspersky said. “It’s also worth monitoring events associated with loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected.”
Via The Hacker News
Leave a comment