- Kaspersky observed a threat actor named Toddycat who abuses an error in the ESET cybersecurity solution
- The group used a fault now stopped to display a piece of malware called TCEB
- Users are advised to repair their systems and supervise threats.
Researchers are being abusing a component of the ESET final point protection solution to launch stealthy malware on Windows devices.
In an in -depth report published earlier this week, Kaspersky’s security researchers said they saw a critical vulnerability in the ESET command line scanner that abused implementing a tool called TCEB.
Vulnerability, now identified as CVE-2024-11859, allowed the attackers to kidnap the loading process of systems libraries abusing how the ESET scanner usually loads them. Instead of recovering legitimate libraries from the system’s directories, the scanner would first seek in its current work directory, which allowed a classic approach to “bring its own vulnerable controller.”
Toddycat
The group behind the attack is called Toddycat. It is an advanced group of persistent threat (APT), first observed in 2021. It is known for attacking government and military organizations, diplomatic entities and critical infrastructure. Its objectives are found mainly in Asia and Europe, and there are some indications that it could be Chinese or aligned in China. However, this was not confirmed.
In this case, the researchers did not discuss the victims, their industry or location. However, it was said that Toddycat was able to place a malicious variant of the version.
The TCEB malware is a modified version of an open source tool called Edrsandblast, Kaspersky explained, saying that it includes characteristics that change the structures of the operating system nucleus and can disable call returns (notification routines).
East poured the defect in January 2025 after responsible dissemination. Organizations are urged to use this popular final point protection solution to update their systems as soon as possible and closely monitor their final points:
“To detect the activity of such tools, it is recommended to monitor installation events that involve drivers with known vulnerabilities,” Kaspersky said. “It is also worth monitoring the events associated with the load symbols of the Windows kernel in devices where the purification of the operating system core is not expected.”
Through The hacker news
