ESET security scanner vulnerability used to deploy TCESB malware

• Kaspersky observed a threat actor called ToddyCat abusing a bug in ESET's cybersecurity solution
• The group used a now-patched flaw to deploy a piece of malware called TCESB
• Users are advised to patch their systems and monitor for threats

A component of ESET’s endpoint protection solution was being abused to launch stealthy malware on Windows devices.

In an in-depth report, security researchers from Kaspersky said they saw a critical vulnerability in ESET’s command-line scanner being abused to deploy a tool named TCESB.

The vulnerability, now identified as CVE-2024-11859, allowed attackers to hijack the loading process of system libraries by abusing how the ESET scanner usually loads them. Instead of retrieving legitimate libraries from system directories, the scanner would first look in its current working directory, which enabled a classic “bring your own vulnerable driver” approach.

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

ToddyCat

The group behind the attack is dubbed ToddyCat. It is an advanced persistent threat (APT) group, first observed in 2021.

It is known for targeting government and military organizations, diplomatic entities, and critical infrastructure. Its targets are mostly located in Asia and Europe, and there are some indications that it might either be Chinese, or China-aligned. This was not confirmed, though.

In this instance, the researchers did not discuss the victims, their industry, or location.

However, it was said that ToddyCat was able to place a malicious variant of version.dll alongside ESET’s scanner, which forced the endpoint protection tool to run the custom malware and thus bypass standard security detection mechanisms.

The TCESB malware is a modified version of an open-source tool named EDRSandBlast, Kaspersky further explained, saying that it includes features that change the OS kernel structures and can disable callbacks (notification routines).

ESET patched the flaw in January 2025 following responsible disclosure. Organizations using this popular endpoint protection solution are urged to update their systems as soon as possible, and closely monitor their endpoints:

"To detect the activity of such tools, it's recommended to monitor systems for installation events involving drivers with known vulnerabilities," Kaspersky said. "It's also worth monitoring events associated with loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected."

Via The Hacker News

You might also like

• The growing threat of ransomware for SMBs
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers