ToddyCat APT Group Exploits ESET Software Vulnerability to Stealthily Deploy Malware

In early 2024, Kaspersky researchers uncovered a disturbing security issue involving the ToddyCat APT (Advanced Persistent Threat) group. This group exploited a vulnerability in ESET’s software to silently execute malware, bypassing security measures designed to protect systems. The flaw, tracked as CVE-2024-11859, allowed attackers to inject malicious code using a DLL Search Order Hijacking method, ultimately enabling them to stealthily deploy and execute payloads without detection. This breach highlights the increasing sophistication of cyberattacks and underscores the importance of maintaining up-to-date security patches.

The vulnerability itself is a DLL Search Order Hijacking issue, where an attacker with administrator privileges can load a malicious dynamic-link library (DLL) instead of the legitimate system version. This allows the attacker to execute malicious code while evading security tools and monitoring mechanisms. In the case of ToddyCat, the APT group leveraged this vulnerability to deploy a previously unknown C++ tool, TCESB, which further obscured their malicious activities.

Attack Exploits DLL Hijacking

Kaspersky’s investigation revealed that the ToddyCat group used the CVE-2024-11859 vulnerability to exploit ESET’s command-line scanner, known as ecls. The flaw allowed the system to load a malicious version.dll (TCESB), bypassing security measures. The malicious TCESB tool then executed payloads in the background, undetected by typical security software.

The malware uses a DLL-proxying technique, where the malicious DLL exports all functions of a legitimate system DLL, but redirects the function calls to the original, unmodified DLL. This technique allows the malicious code to run under the guise of normal operations. Despite this, the malicious code executes in the background, allowing attackers to control infected systems without being detected.

The Role of the TCESB Malware

The malware deployed by the ToddyCat APT group, TCESB, is a stealthy C++ tool designed to bypass security and monitoring tools installed on the device. The TCESB tool logs its activities in detail, further enhancing its stealth capabilities. It supports extensionless encrypted payloads like “kesp” and “ecore,” which are injected into the system and executed from memory. This encryption makes it harder for traditional security measures to detect and neutralize the threat.

Furthermore, the malware utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique. This technique involves installing a vulnerable Dell driver (CVE-2021-36276) through Device Manager to evade detection. The attacker then waits for a specific payload file, decrypts it using AES-128 encryption, and executes the payload from memory, making it extremely difficult to trace.

ESET Responds with Patch

The flaw was discovered by Kaspersky in 2024 and reported to ESET. In January 2025, ESET issued a patch to address CVE-2024-11859. According to ESET’s advisory, the vulnerability allowed an attacker with administrative privileges to plant a malicious DLL in a specific folder, leading to the loading of the malicious library when the ESET command-line scanner was used. This action would execute the malicious content, bypassing security tools that were supposed to detect and prevent such activity.

While the attack did not elevate the attacker’s privileges (the attacker would already need to have administrator access), it still posed a significant risk. The ability to silently execute malware and bypass security tools makes this vulnerability highly dangerous for users of affected ESET products.

What Undercode Says:

The ToddyCat APT group’s use of CVE-2024-11859 to exploit a vulnerability in ESET’s software highlights an increasingly alarming trend in cybersecurity. Malicious groups are becoming more adept at using seemingly innocent software features to their advantage. In this case, the DLL Search Order Hijacking technique allowed them to load malicious code without raising any alarms. This technique is part of a broader trend of exploiting existing software vulnerabilities to achieve stealthy malware execution.

The use of TCESB, a previously unknown tool, is particularly concerning. Its ability to bypass security monitoring systems and execute payloads in memory makes it an incredibly potent tool for cybercriminals. The fact that the malware can also deploy encrypted payloads further complicates detection and mitigation efforts, as traditional signature-based detection methods become less effective.

Another noteworthy aspect of this attack is the use of the BYOVD technique, which shows how attackers can exploit vulnerabilities in hardware drivers to further evade detection. This technique highlights the complexity of modern cyberattacks, which often involve multiple layers of obfuscation and evasion strategies.

In response to this attack,

Fact Checker Results:

CVE-2024-11859 Vulnerability: The vulnerability was accurately tracked and reported by Kaspersky researchers. ESET acknowledged it and released a patch in January 2025.
TCESB Malware Behavior: The description of TCESB’s behavior and its use of DLL-proxying and BYOVD techniques is consistent with known attack methods.
ESET’s Advisory: ESET’s advisory regarding the malicious DLL loading and the patch release aligns with the findings in the article.