ToddyCat APT Strikes Again: Exploiting ESET Scanner with Weaponized DLL Injection

By /

Listen to this Post

A New Wave of Sophisticated Cyberattacks Revealed

In early 2024, cybersecurity researchers uncovered a new, high-level cyberattack campaign linked to the advanced persistent threat (APT) group known as ToddyCat. This campaign, marked by stealth and innovation, centered around a vulnerability in ESET’s command-line scanner, officially registered as CVE-2024-11859.

By weaponizing this vulnerability, ToddyCat deployed a malicious tool named TCESB, which remained hidden inside legitimate software processes. The attackers achieved this by exploiting DLL-loading behavior and incorporating open-source tools alongside known vulnerable drivers. This discovery not only highlights the evolving methods of elite APT actors but also underlines the importance of keeping both commercial and open-source software continuously hardened against exploitation.

the Attack in ~

– Threat Actor: ToddyCat APT group.

  • Discovery: Found by Kaspersky researchers during incident analysis in early 2024.

– Core Exploit: Vulnerability in

  • Entry Point: Malicious version.dll file placed in the temporary directory.
  • Tool Used: A custom-built version of the open-source tool EDRSandBlast, renamed as TCESB.

– Key Techniques:

  • DLL proxying to inject malicious functions into legitimate processes.
  • Use of weak DLL search order in ESET’s scanner to load fake version.dll.

– Kernel manipulation to suppress security alerts.

  • BYOVD Tactic: Deployed DBUtilDrv2.sys (vulnerable Dell driver, CVE-2021-36276).
  • Privilege Escalation: Used Device Manager to load the driver and gain kernel-level access.

– Payload Execution:

  • Watched the compromised directory for specific payload files.
  • Decrypted the files using AES-128, with the key embedded in each payload.
  • Executed contents only when conditions were met, avoiding premature detection.

– Response:

– ESET patched the vulnerability in January 2025.

– CVE-2024-11859 formally disclosed and mitigated.

  • Implication: Highlights complex use of legitimate tools and layered evasion techniques.

– Advice:

  • Monitor for vulnerable driver use and kernel anomalies.

– Regularly patch systems and audit DLL-loading behaviors.

  • Harden endpoint defenses and invest in dynamic threat detection.

What Undercode Say:

From a cybersecurity analysis perspective, this incident provides a prime example of how modern APT actors are blurring the lines between legitimate system utilities and malicious behavior. Let’s break it down:

1. DLL Proxying Reborn:

  • DLL proxying isn’t new, but ToddyCat’s version of it is more subtle, embedding within ESET’s trusted binary and mimicking exports.
  • This evades traditional behavior-based detection tools that rely on unusual process spawning.

2. Weaponizing ESET – A Strategic Move:

  • Targeting a security tool like ESET shows that no software, not even protective tools, are off-limits.
  • Trust is the real vulnerability here—the system allows it, so it must be safe, right? That assumption failed.

3. Modified Open Source:

– By using EDRSandBlast, ToddyCat

  • Open-source tooling provides flexibility and plausible deniability. Many defenders hesitate to block these binaries due to legitimate use.

4. Kernel-Level Tampering:

  • The use of a Bring Your Own Vulnerable Driver (BYOVD) tactic allows for low-level system control.
  • Manipulating kernel structures to disable event notifications directly affects EDR visibility.

5. Encryption Tactics:

  • Embedding the AES decryption key inside payloads is clever—it ensures the malicious code stays hidden until the perfect moment.

6. Dynamic Execution Triggers:

  • TCESB waits for signals—payloads in specific folders—before acting.
  • This keeps noise low, reduces sandbox detection, and ensures attack execution only when conditions are ideal.

7. Driver-Based Escalation Remains a Weak Spot:

  • Drivers with known flaws, like DBUtilDrv2.sys, remain a goldmine.
  • Until operating systems enforce strict driver integrity and signing practices, this will continue being a go-to tactic.

8. Detection is Tough, Not Impossible:

  • Event log monitoring, driver integrity checks, and memory scanning for modified kernel structures can catch such attacks.
  • Security teams must adapt to hybrid detection models—signature + behavior + anomaly.

9. Software Vendors Need to Up Their Game:

  • ESET’s initial DLL-loading flaw (prioritizing local directories) is a classic developer oversight.
  • Vendors must routinely conduct secure code audits, especially around legacy behaviors.

10. Lessons for Defenders:

  • Defense in depth is essential. A single bypass shouldn’t compromise the entire system.
  • Proactively audit all security software for insecure behaviors—they’re often prime targets.
  • BYOVD must be accounted for in security baselines and monitoring rules.

In essence, ToddyCat’s attack demonstrates the rising synergy between traditional malware tactics and modern endpoint defense evasion. Defenders must now consider attackers who exploit not just system software—but the very tools meant to protect them.

Fact Checker Results:

  • Claim Validity: CVE-2024-11859 is a real vulnerability patched by ESET in January 2025.
  • Technical Accuracy: Methods described (DLL proxying, BYOVD, kernel manipulation) are consistent with known advanced attack patterns.
  • Source Credibility: Kaspersky’s findings align with previous intelligence on ToddyCat APT campaigns.

you want this adapted into a blog post format with visual elements or SEO-friendly structure.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: