A newly discovered campaign by the Chinese-speaking APT group ToddyCat is exploiting a security flaw in ESET’s antivirus software to silently deploy advanced malware. This is according to a report from cybersecurity firm Kaspersky.
The vulnerability, tracked as CVE-2024-11859, was reported to ESET several months ago and patched in January. However, the flaw was only publicly disclosed on April 4. It affects ESET’s command-line scanner and enables DLL search order hijacking. Allowing attackers with admin-level access to load malicious code through a fake DLL file.
This vulnerability stems from insecure DLL search order. Where an application mistakenly prioritizes loading DLLs from the current directory instead of trusted system paths. In this case, ToddyCat was able to plant a malicious version.dll in the temporary folder of infected devices. When ESET’s software searched for version.dll, it mistakenly loaded the fake file instead of the legitimate system library.
Kaspersky researchers identified the issue while analyzing multiple compromised systems and found the malware. Now identified as TCESB — masquerading as version.dll. TCESB mirrors the interface of the real Windows version.dll, forwarding legitimate functions to the actual file to avoid detection. Meanwhile, it secretly runs malicious code in the background, fully integrated with the application’s normal processes.
“This way, an application that loads the malicious library will continue to work as normal, with the malicious code running in the background,” said Kaspersky security researcher Andrey Gunkin.
TCESB is particularly dangerous because it disables security alerts and monitoring mechanisms at the Windows kernel level. The malware includes preloaded targeting data to identify and disable specific kernel security features based on the Windows version. If the version isn’t recognized, it retrieves the necessary information from Microsoft’s debug symbol server.
ToddyCat has a well-documented history of targeting government, military, and defense organizations across the Asia-Pacific region. The group is known for using a mix of custom malware, backdoors, and low-footprint tools, often varying tactics between campaigns to avoid attribution.
In this campaign, ToddyCat also leveraged an older vulnerability in a Dell driver, tracked as CVE-2021-36276. Originally used for updating firmware and BIOS, the vulnerable driver gave ToddyCat access to Windows kernel operations — a level of access that is notoriously difficult to detect and mitigate.
To further hide its presence, the malware also triggers loading of Windows kernel debug symbols — a behavior that’s uncommon on production systems and should raise red flags when detected in enterprise environments.
Kaspersky recommends that organizations monitor systems for:
- Use of known vulnerable drivers (referencing the LOLDDrivers project for up-to-date lists),
- Unexpected loading of kernel debug symbols, and
- Unsigned or suspicious system libraries, especially in the current directory.
ESET’s Response and Security Recommendations
ESET addressed the issue in January with a patch, but the timing of public disclosure — just days ago — highlights the potential gap between mitigation and awareness. Organizations using ESET products should verify that their systems are fully updated and ensure no unsigned DLLs are being loaded from insecure paths.
The stealth and sophistication of this attack — particularly the use of DLL proxying and kernel-level obfuscation — underscores the increasing need for proactive monitoring and patch management in enterprise environments.
ToddyCat’s growing arsenal and persistent targeting of high-value organizations make it one of the more formidable APT groups operating today. As always, staying ahead means not just detecting threats, but anticipating how they evolve.
