New TCESB Malware Discovered in Ongoing Attacks Targeting ESET Security Scanner Vulnerabilities

09.04.2025

A Chinese-affiliated threat actor, known for its cyber-attacks across Asia, has been observed exploiting a vulnerability in ESET security software to deploy a previously unknown malware called TCESB. This malware has been linked to the ToddyCat group, a hacker collective that has targeted various organizations in the Asia-Pacific region since at least December 2020. Kaspersky, in its analysis, noted that TCESB was designed to execute payloads stealthily, bypassing protection and monitoring tools on infected systems.

The malware takes advantage of a security flaw in the ESET Command Line Scanner, specifically a vulnerability in the way it loads the “version.dll” file. This DLL, which is a legitimate part of the Microsoft operating system, is incorrectly loaded from insecure directories, allowing attackers to substitute it with a malicious version. The flaw, tracked as CVE-2024-11859, received a fix from ESET in January 2025.

TCESB itself is a modified version of an open-source tool known as EDRSandBlast. It features capabilities to manipulate the operating system’s kernel structures, disabling critical notification routines. Additionally, TCESB utilizes the “bring your own vulnerable driver” (BYOVD) technique to exploit a privilege escalation flaw in a Dell driver, DBUtilDrv2.sys, which has been previously targeted in similar attacks. This allows the malware to escalate its privileges and gain further control over the system.

The malware checks for specific payload files in the system’s directory, decrypting and executing them once found. While the exact payloads remain unidentified, they are believed to be encrypted with AES-128 and are activated as soon as they appear in the specified directory. Monitoring systems for known vulnerable drivers and abnormal kernel debugging activity is recommended to detect such attacks.

ESET addressed the vulnerability in its products for Windows, releasing updates to fix the flaw and mitigate the risk. Organizations and users are urged to ensure their systems are up to date with these patches to prevent exploitation by attackers using TCESB or similar methods.