ToddyCat APT Exploits ESET Vulnerability to Deploy Stealth Malware

Cybersecurity researchers have uncovered a new campaign by the Chinese-speaking threat actor ToddyCat, targeting a critical vulnerability in ESET’s antivirus software to load malicious payloads undetected. The flaw, now patched, exposes a deeper challenge in securing trusted system software from advanced persistent threats (APTs).

ESET Exploited: The Flaw Behind the Malware Infiltration

A newly uncovered vulnerability in ESET’s antivirus software—tracked as CVE-2024-11859—has become the latest tool for ToddyCat APT to stealthily execute malware. Reported by Kaspersky, the flaw involves DLL search order hijacking, a well-known tactic where applications mistakenly load malicious libraries due to insecure directory search behavior.

Although ESET patched the bug in January, it wasn’t publicly disclosed until April 4. The flaw specifically affects systems where an attacker already has administrator-level access, enabling them to execute arbitrary code by inserting a malicious DLL, such as one named version.dll, in vulnerable directories.

Kaspersky’s deep dive revealed that the malicious DLL used by ToddyCat mimics the legitimate version.dll used by Windows. The malware, dubbed TCESB, functions as a stealthy payload that runs silently in the background, bypassing detection and disabling Windows security notifications at the kernel level.

Key Findings from Kaspersky’s Report

TCESB Malware: A complex and previously unseen strain designed to silently execute malicious code and disable security alerts.
DLL Hijacking: The ESET command-line scanner mistakenly loads version.dll from the current directory instead of the secure system directory.
Kernel-Level Exploits: The malware uses preloaded data for specific Windows kernel versions, and if unavailable, retrieves it from Microsoft’s debug info server.
Additional Exploits: ToddyCat also utilizes a known vulnerable Dell driver (CVE-2021-36276) to deepen access at the kernel level.

The attack technique ensures the infected application continues functioning normally, masking the intrusion. Researchers emphasize the need for constant monitoring for suspicious driver installations and irregular kernel symbol loading.

What Undercode Say:

ToddyCat’s Persistent and Sophisticated Strategy

The ToddyCat APT continues to show high adaptability and operational maturity. Their selective and careful reuse of tools, along with custom-developed payloads, suggests a clear intention to remain undetected for as long as possible. The fact that TCESB mimics a legitimate system DLL, delegates normal operations back to the original file, and executes in stealth mode is a hallmark of advanced stealth engineering.

Observations and Implications

Exploitation Requires Privilege: While CVE-2024-11859 needs admin access, the flaw still represents a serious risk in post-compromise scenarios, where lateral movement often escalates privileges anyway.
DLL Hijacking Still Relevant: Despite being a decades-old technique, DLL search order hijacking remains a reliable method for stealth execution—especially effective when targeting software from trusted vendors like ESET.
ESET’s Exposure: The attack shows that even security software can be an entry point if its internal architecture does not follow secure library loading practices. This puts additional pressure on vendors to harden their applications.
Use of Dual Exploits: ToddyCat’s pairing of DLL hijacking with a known Dell driver exploit showcases layered attack strategies—first to get inside, then to solidify persistence and evade detection.
Kernel Awareness: The preloaded dataset tailored for various Windows kernel versions demonstrates a high level of reconnaissance. This level of precision suggests state-sponsored resources or long-term planning.

6. Attribution Challenge: Check Point previously noted

7. Defense Recommendations:

Monitor for abnormal DLL loading behavior, especially from temporary or non-system directories.
Review usage of drivers, particularly legacy or vulnerable ones (check sites like loldrivers.io).
Ensure all DLLs and kernel drivers are digitally signed and validated through regular audits.
Flag any device loading Windows kernel debug symbols without explicit permission or use case.

Impact on Enterprises: Organizations in defense, government, and critical infrastructure sectors in the Asia-Pacific region are prime targets. This continues a trend where regional cyber espionage operations are becoming more customized and persistent.
Security Vendors Not Immune: Ironically, the very tools meant to protect systems are becoming vectors when improperly secured—emphasizing the need for vendor-level transparency and continuous code auditing.
Global Trends: ToddyCat’s campaign aligns with a broader global uptick in APTs exploiting third-party software, especially security and IT management tools.

Fact Checker Results

Exploit Confirmed: CVE-2024-11859 is a real, patched vulnerability acknowledged by ESET.
Actor Attribution: ToddyCat has been consistently linked to cyber-espionage campaigns in Asia-Pacific.
Tool Usage Verified: Both the malicious version.dll and Dell driver exploit (CVE-2021-36276) were observed in the wild by Kaspersky.

This case once again demonstrates that vulnerabilities in trusted tools can be turned into high-impact weapons by patient, well-resourced threat actors. The best defense lies not just in patching, but in monitoring behavior, validating integrity, and anticipating the next unconventional exploit vector.