A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB.
“Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device,” Kaspersky said in an analysis published this week.
ToddyCat is the name given to a threat activity cluster that has targeted several entities in Asia, with attacks dating all the way back to at least December 2020.
Last year, the Russian cybersecurity vendor detailed the hacking group’s use of various tools to maintain persistent access to compromised environments and harvest data on an “industrial scale” from organizations located in the Asia-Pacific region.
Kaspersky said its investigation into ToddyCat-related incidents in early 2024 unearthed a suspicious DLL file (“version.dll”) in the temp directory on multiple devices. The 64-bit DLL, TCESB, has been found to be launched via a technique called DLL Search Order Hijacking to seize control of the execution flow.
This, in turn, is said to have been accomplished by taking advantage of a flaw in the ESET Command Line Scanner, which insecurely loads a DLL named “version.dll” by first checking for the file in the current directory and then checking for it in the system directories.
It’s worth pointing out at this stage that “version.dll” is a legitimate version-checking and file installation library from Microsoft that resides in the “C:\Windows\system32\” or “C:\Windows\SysWOW64\” directories.
A consequence of exploiting this loophole is that attackers could execute their malicious version of “version.dll” as opposed to its legitimate counterpart. The vulnerability, tracked as CVE-2024-11859 (CVSS score: 6.8), was fixed by ESET in late January 2025 following responsible disclosure.
“The vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code,” ESET said in an advisory released last week. “This technique did not elevate the privileges, though – the attacker would have already needed to have administrator privileges to perform this attack.”
In a statement shared with The Hacker News, the Slovak cybersecurity company said it released fixed builds of its consumer, business, and server security products for the Windows operating system to address the vulnerability.
TCESB, for its part, is a modified version of an open-source tool called EDRSandBlast that includes features to alter operating system kernel structures to disable notification routines (aka callbacks), which are designed to allow drivers to be notified of specific events, such as process creation or setting a registry key.
To pull this off, TCESB leverages another known technique referred to as bring your own vulnerable driver (BYOVD) to install a vulnerable driver, a Dell DBUtilDrv2.sys driver, in the system through the Device Manager interface. The DBUtilDrv2.sys driver is susceptible to a known privilege escalation flaw tracked as CVE-2021-36276.
This is not the first Dell drivers have been abused for malicious purposes. In 2022, a similar privilege escalation vulnerability (CVE-2021-21551) in another Dell driver, dbutil_2_3.sys, was also exploited as part of BYOVD attacks by the North Korea-linked Lazarus Group to turn off security mechanisms.
“Once the vulnerable driver is installed in the system, TCESB runs a loop in which it checks every two seconds for the presence of a payload file with a specific name in the current directory – the payload may not be present at the time of launching the tool,” Kaspersky researcher Andrey Gunkin said.
While the payload artifacts themselves are unavailable, further analysis has determined that they are encrypted using AES-128 and that they are decoded and executed as soon as they appear in the specified path.
“To detect the activity of such tools, it’s recommended to monitor systems for installation events involving drivers with known vulnerabilities,” Kaspersky said. “It’s also worth monitoring events associated with loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected.”
