In a stark demonstration of Advanced Persistent Threat (APT) sophistication, the ToddyCat group has been discovered using a vulnerability in ESET’s command-line scanner (CVE-2024-11859) to stealthily execute a malicious tool named TCESB.
Researchers from Kaspersky uncovered this advanced operation during investigations into ToddyCat-related incidents in early 2024.
The group exploited improper DLL-loading behavior in ESET’s scanner to bypass security measures and monitoring systems, leveraging techniques that integrate legitimate software with malicious payloads.
Complex Exploitation Chain Unveiled
The attack’s entry point was a suspicious file named version.dll found in compromised systems’ temporary directories.
Analysis revealed the file was a 64-bit DLL written in C++ with functionality derived from the open-source tool EDRSandBlast.
This modified tool, dubbed TCESB by researchers, was engineered to exploit weak points in system-level protections, including kernel structure modifications to disable security notifications.
ToddyCat attackers deployed DLL proxying, a technique where a malicious library mimics a legitimate DLL’s exported functions while redirecting them to malicious code.
This enabled the attackers to embed their tool within trusted processes.
However, for this redirection to succeed, the host application (in this case, ESET’s command-line scanner) needed to exhibit insecure DLL-loading practices a vulnerability uncovered during Kaspersky researchers’ dynamic testing.
The ESET scanner was found to first search for version.dll in the current working directory before looking in system directories.
This sequence opened the door for attackers to substitute their malicious DLL in place of the legitimate library.
Recognizing the security gap, ESET promptly registered the vulnerability (CVE-2024-11859) and issued a patch in January 2025.
Modified Open-Source Malware and BYOVD Technique
Further analysis revealed that ToddyCat built TCESB by customizing the EDRSandBlast tool to expand its capabilities.
Key features included disabling system event notifications, such as process creation or dynamic library loading, by manipulating kernel structures.
To achieve this, the attackers used the Bring Your Own Vulnerable Driver (BYOVD) method, deploying the Dell driver DBUtilDrv2.sys, which carries the well-known CVE-2021-36276 vulnerability.
By installing this driver through the Device Manager interface, TCESB obtained the necessary privileges to tamper with kernel memory structures.
The tool’s operational cycle included monitoring for payload files in the compromised directory. Once detected, it decrypted the files using AES-128 encryption and executed the contents.
Notably, the decryption key was embedded within the payload file, ensuring the process remained concealed until the payload was present.
The discovery of TCESB underscores the need for more rigorous defenses against highly adaptive APT groups.
According to the Report, ToddyCat’s exploitation chain demonstrates a strategic integration of legitimate software vulnerabilities, open-source malware frameworks, and kernel-level manipulations, making detection and mitigation challenging.
Kaspersky advises system administrators and security professionals to monitor for events involving vulnerable driver installations and unexpected kernel debugging symbols.
Additionally, verifying the integrity of loaded system libraries and proactively patching known vulnerabilities remains critical to defense.
This attack serves as a reminder of the evolving sophistication of APT tactics, necessitating continuous advancements in endpoint protection, threat monitoring, and vulnerability management.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
 sophistication, the ToddyCat group has been discovered using a vulnerability.){kind=link}