A China-affiliated threat actor known for cyberattacks across Asia has been caught exploiting a security vulnerability in ESET software to deploy a previously unknown malware strain dubbed TCESB.
Kaspersky, in a recent analysis, revealed that TCESB is a new tool in the arsenal of the ToddyCat threat group. Designed for stealth, the malware bypasses existing security and monitoring tools to execute malicious payloads. Although it had not been observed in earlier ToddyCat operations, TCESB marks a sophisticated evolution in the group’s tactics.
ToddyCat is a well-documented cluster of cyber activity targeting Asian entities, with operations traced back to December 2020. In previous reports, Kaspersky detailed how the group uses a wide range of tools to maintain long-term access. And exfiltrate data from organizations at scale across the Asia-Pacific region.
TCESB is a New Malware with Familiar Techniques
Kaspersky’s investigation in early 2024 uncovered a suspicious dynamic-link library (DLL) file, version.dll, located in the temporary directory of multiple compromised systems. This 64-bit DLL, now identified as TCESB, leverages DLL Search Order Hijacking—a method of hijacking the execution flow of legitimate applications.
The attack exploits a flaw in ESET’s Command Line Scanner, which loads the version.dll file by searching the current directory first, rather than prioritizing the secure system directory. Since version.dll is a legitimate Microsoft file stored in “C:\Windows\system32” or “C:\Windows\SysWOW64,” attackers used a malicious version to gain control.
Vulnerability Details and Patch
Tracked as CVE-2024-11859 (CVSS score: 6.8), the vulnerability was addressed by ESET in January 2025 following responsible disclosure. Although exploitation of the flaw requires administrator privileges, it allows attackers to load and execute a rogue DLL.
ESET has since released patched builds across its consumer, business, and server Windows products to resolve the issue.
TCESB is a reworked version of the open-source EDRSandBlast tool. It modifies kernel-level structures to disable system notifications, such as callbacks that alert drivers to events like new processes or registry changes.
To achieve this, the malware employs the Bring Your Own Vulnerable Driver (BYOVD) tactic. It installs the known-vulnerable Dell driver DBUtilDrv2.sys using the Windows Device Manager. This driver suffers from a privilege escalation bug, tracked as CVE-2021-36276.
This isn’t the first time Dell drivers have been exploited. In 2022, the North Korea-linked Lazarus Group abused another vulnerable driver, dbutil_2_3.sys, to disable security protections.
Once the vulnerable driver is active, TCESB enters a monitoring loop, checking every two seconds for the appearance of a payload file with a specific name in the current directory. These payloads, encrypted with AES-128, are decrypted and executed the moment they are detected.
Although the actual payloads remain unavailable for analysis, Kaspersky confirmed their presence and execution method through telemetry.
Mitigation and Detection of TCESB Malware
Kaspersky recommends monitoring for driver installations involving known vulnerable components as a key detection strategy. Additionally, IT teams should look for suspicious events such as loading Windows kernel debug symbols on systems where kernel debugging is not expected.
