ToddyCat, the notorious APT group, used a sophisticated attack strategy to stealthily deploy malicious code in targeted systems by exploiting a weakness in ESET’s command line scanner.  

The vulnerability, now tracked as CVE-2024-11859, allowed attackers to bypass security monitoring tools by executing malicious payloads within the context of a trusted security solution.

In early 2024, investigators detected suspicious files named “version.dll” in the temp directories of multiple compromised devices. 

Further analysis revealed these files to be components of a complex tool dubbed TCESB, specifically designed to circumvent protection mechanisms and monitoring tools.

The tool, previously unseen in ToddyCat’s arsenal, exploited a vulnerability in ESET’s Command line scanner (ecls), which insecurely loaded DLL files. 

ESET registered the vulnerability as CVE-2024-11859 and released a patch on January 21, 2025, with a security advisory published on April 4.

Technical Analysis of the Exploit Chain

Kaspersky reports that the attackers employed a technique known as DLL proxying (classified as T1574 in the MITRE ATT&CK framework) to execute their malicious code. 

The TCESB tool was designed to export all functions of the legitimate version.dll file but redirect calls to the original DLL while running malicious operations in the background.

The exploit took advantage of the ESET Command line scanner’s insecure loading mechanism, which searched for the version.dll file in the current directory before looking in system directories. 

This vulnerability allowed the malicious DLL to be loaded instead of the legitimate one.

Schematic of tool operation

Analysis revealed that TCESB was based on the open-source tool EDRSandBlast, modified to extend its functionality.

The malware could modify Windows kernel structures to disable notification routines about critical system events like process creation.

To enhance its stealth capabilities, TCESB employed the Bring Your Own Vulnerable Driver (BYOVD) technique (T1211), specifically using the Dell DBUtilDrv2.sys driver with the CVE-2021-36276 vulnerability. This allowed the attackers to perform privileged operations at the kernel level.

Snippet of decompiled code for installing the TCESB driver

Payload Execution Mechanism

The tool implemented a sophisticated system for payload execution, checking every two seconds for specific files named “kesp” or “ecore” in the current directory. 

Once detected, these files were decrypted using AES-128 encryption, with the decryption key stored in the first 32 bytes of the payload file.

This multi-stage approach demonstrates ToddyCat’s sophisticated operational security. They’ve created a system where payloads can be deployed only after verifying the initial infiltration was successful.

Security professionals recommend monitoring systems for installation events involving drivers with known vulnerabilities. 

Resources like the loldrivers project can help identify such drivers. Additionally, organizations should monitor Windows kernel debug symbol loading events, especially on devices where kernel debugging isn’t expected.

This incident highlights the evolving tactics of advanced threat actors who continue to find new ways to exploit trusted software, even security solutions themselves, to maintain persistent and undetected access to targeted systems.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free