Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

APT Groups Exploit Vulnerability in ESET Software to Execute Malware


APT groups have exploited a vulnerability in ESET software to stealthily execute malware, bypassing security measures. The vulnerability, tracked as CVE-2024-11859, is a DLL Search Order Hijacking issue that allows an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.

  • The ToddyCat APT group exploited a vulnerability in ESET software (CVE-2024-11859) to stealthily execute malware.
  • The vulnerability allows an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.
  • The APT group used a DLL-proxying technique to bypass security measures, evading detection by traditional security tools.
  • ESET addressed the vulnerability in January 2025, issuing an advisory to warn users about potential exploitation.
  • The ToddyCat APT group's use of TCESB highlights the ongoing efforts by attackers to exploit vulnerabilities in widely used software.



  • In a recent development that highlights the ongoing cat-and-mouse game between cybersecurity experts and APT (Advanced Persistent Threat) groups, it has been reported that an APT group, tracked as ToddyCat, has successfully exploited a vulnerability in ESET software to stealthily execute malware, bypassing security measures. The vulnerability, tracked as CVE-2024-11859, is a DLL Search Order Hijacking issue that potentially allows an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.

    According to reports by Kaspersky researchers, the ToddyCat APT group exploited the vulnerability in ESET software to deploy TCESB, a stealthy C++ tool designed to bypass security and monitoring tools. The tool uses a DLL-proxying technique to run the malicious code, allowing it to evade detection by traditional security measures. This technique involves using a malicious dynamic-link library that exports functions with the same names as legitimate system files, but instead of implementing these functions, redirects calls to them to the original DLL.

    The vulnerability was discovered in early 2024, when Kaspersky researchers found an unknown C++ tool while investigating the attacks of the ToddyCat APT. The tool, which has been dubbed TCESB, is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device. Researchers analyzed the DLL library used by TCESB and discovered that it imports functions with the same names as system files, indicating that the attackers use a DLL-proxying technique to run the malicious code.

    The ESET vulnerability was identified after an APT group exploited it to deploy TCESB. The exploitation of this vulnerability allows the attacker to plant a malicious dynamic-link library in a specific folder and execute its content by running the ESET Command Line Scanner. This would load the planted library instead of the intended system library, allowing the attacker to bypass security measures.

    ESET addressed the vulnerability CVE-2024-11859 in January 2025, issuing an advisory that warned users about the potential for exploitation of this issue. The advisory noted that on systems with affected ESET products installed, an attacker could plant a malicious dynamic-link library and execute its content by running the ESET Command Line Scanner.

    The ToddyCat APT group's use of TCESB highlights the ongoing efforts by attackers to exploit vulnerabilities in widely used software to deploy malware. As cybersecurity experts continue to develop new security measures to combat these threats, it is essential for users to stay informed about potential vulnerabilities and take proactive steps to protect themselves from exploitation.

    In recent months, several high-profile attacks have highlighted the risks associated with exploiting vulnerabilities in widely used software. For example, in December 2023, a group of hackers exploited four zero-day vulnerabilities in Cisco ASA firewalls to breach government networks. Similarly, in January 2024, Google fixed its first actively exploited Chrome zero-day of 2024.

    The exploitation of vulnerabilities like CVE-2024-11859 by APT groups like ToddyCat serves as a reminder that cybersecurity is an ongoing battle between attackers and defenders. As new vulnerabilities are discovered and exploited, it is crucial for users to remain vigilant and take proactive steps to protect themselves from these threats.

    In conclusion, the exploitation of the ESET vulnerability by the ToddyCat APT group highlights the ongoing efforts by attackers to exploit vulnerabilities in widely used software. The use of TCESB demonstrates the creative ways in which attackers can bypass security measures, emphasizing the need for users to stay informed about potential vulnerabilities and take proactive steps to protect themselves from exploitation.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/APT-Groups-Exploit-Vulnerability-in-ESET-Software-to-Execute-Malware-ehn.shtml

  • Published: Thu Apr 10 08:40:43 2025 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us