Flaw in ESET security software used to spread malware from ToddyCat group

Editor’s note: Story updated 1:20 p.m. Eastern U.S. time with information from ESET.

Researchers have discovered that suspected state-backed hackers could exploit a vulnerability in software from cybersecurity firm ESET to secretly infect targeted devices with malicious code.

The vulnerability, tracked as CVE-2024-11859, allows attackers to plant a malicious dynamic-link library (DLL) and execute it through the ESET antivirus scanner, according to a report by the Russian cybersecurity firm Kaspersky. The malicious code runs in the background, bypassing system alerts and remaining undetected.

Slovakia-based ESET confirmed the flaw in an advisory last week and released a fix, describing it as a medium-severity issue with a CVSS score of 6.8 out of 10. The company urged users to update their systems to prevent potential exploitation.

It remains unclear whether any users were affected by attacks exploiting the ESET flaw or who the specific targets were. In a comment to Recorded Future News, ESET said that it had not seen the flaw being exploited in the wild.

Kaspersky attributed the campaign to a hacker group known as ToddyCat, which has been active since at least 2020 and is known for targeting government and military organizations to steal sensitive data.

ESET said in a comment that it does not “possess the two malicious DLLs referenced in the article, so it is not possible to confirm the ToddyCat attribution.”

During the campaign, the hackers loaded a new tool dubbed TCDSB onto victims' devices, disguising it as a legitimate DLL — a common file type in the Windows operating system. It is designed to to stealthily execute payloads while avoiding security and monitoring services. According to researchers, TCDSB is based on a previously known tool, EDRSandBlast, which cybercriminals use to bypass security protections.

The hackers likely modified the original code to extend the malware’s functionality, allowing it to alter key components of the operating system and disable system alerts that would typically notify users about events such as the creation of a new process or the loading of a file. TCDSB was found on multiple devices, Kaspersky said, but didn’t provide further details.

Russian researchers have not attributed ToddyCat to any specific nation-state, but previous reports suggest the group has targeted high-profile entities in Europe and Asia, as well as digital infrastructure in Taiwan and Vietnam. Other research has linked ToddyCat to “Chinese espionage activity.”

“This technique did not elevate privileges, though — the attacker would have already needed administrator privileges to perform this attack,” ESET said.

In an earlier campaign described by Kaspersky, ToddyCat targeted government services in the Asia-Pacific region to steal “large volumes of data.” Once inside a victim’s network, the group used various tunneling methods, including compromising VPN software and legitimate cloud providers.

By using different tunneling techniques, Kaspersky said, ToddyCat aimed to ensure that if one data-stealing method failed, others would still be available.