Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner

The Hacker News by The Hacker News
April 9, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Apr 09, 2025Ravie LakshmananWindows Security / Vulnerability

A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB.

“Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device,” Kaspersky said in an analysis published this week.

ToddyCat is the name given to a threat activity cluster that has targeted several entities in Asia, with attacks dating all the way back to at least December 2020.

Last year, the Russian cybersecurity vendor detailed the hacking group’s use of various tools to maintain persistent access to compromised environments and harvest data on an “industrial scale” from organizations located in the Asia-Pacific region.

Cybersecurity

Kaspersky said its investigation into ToddyCat-related incidents in early 2024 unearthed a suspicious DLL file (“version.dll”) in the temp directory on multiple devices. The 64-bit DLL, TCESB, has been found to be launched via a technique called DLL Search Order Hijacking to seize control of the execution flow.

This, in turn, is said to have been accomplished by taking advantage of a flaw in the ESET Command Line Scanner, which insecurely loads a DLL named “version.dll” by first checking for the file in the current directory and then checking for it in the system directories.

It’s worth pointing out at this stage that “version.dll” is a legitimate version-checking and file installation library from Microsoft that resides in the “C:Windowssystem32” or “C:WindowsSysWOW64” directories.

A consequence of exploiting this loophole is that attackers could execute their malicious version of “version.dll” as opposed to its legitimate counterpart. The vulnerability, tracked as CVE-2024-11859 (CVSS score: 6.8), was fixed by ESET in late January 2025 following responsible disclosure.

TCESB Malware

“The vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code,” ESET said in an advisory released last week. “This technique did not elevate the privileges, though – the attacker would have already needed to have administrator privileges to perform this attack.”

In a statement shared with The Hacker News, the Slovak cybersecurity company said it released fixed builds of its consumer, business, and server security products for the Windows operating system to address the vulnerability.

TCESB, for its part, is a modified version of an open-source tool called EDRSandBlast that includes features to alter operating system kernel structures to disable notification routines (aka callbacks), which are designed to allow drivers to be notified of specific events, such as process creation or setting a registry key.

Cybersecurity

To pull this off, TCESB leverages another known technique referred to as bring your own vulnerable driver (BYOVD) to install a vulnerable driver, a Dell DBUtilDrv2.sys driver, in the system through the Device Manager interface. The DBUtilDrv2.sys driver is susceptible to a known privilege escalation flaw tracked as CVE-2021-36276.

This is not the first Dell drivers have been abused for malicious purposes. In 2022, a similar privilege escalation vulnerability (CVE-2021-21551) in another Dell driver, dbutil_2_3.sys, was also exploited as part of BYOVD attacks by the North Korea-linked Lazarus Group to turn off security mechanisms.

“Once the vulnerable driver is installed in the system, TCESB runs a loop in which it checks every two seconds for the presence of a payload file with a specific name in the current directory – the payload may not be present at the time of launching the tool,” Kaspersky researcher Andrey Gunkin said.

While the payload artifacts themselves are unavailable, further analysis has determined that they are encrypted using AES-128 and that they are decoded and executed as soon as they appear in the specified path.

“To detect the activity of such tools, it’s recommended to monitor systems for installation events involving drivers with known vulnerabilities,” Kaspersky said. “It’s also worth monitoring events associated with loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Google mobilizes partners to drive agentic AI across clouds

Google mobilizes partners to drive agentic AI across clouds

Recommended.

AT&T Stands Up for Consumers Duped by Competitors Misleading Claims

AT&T Stands Up for Consumers Duped by Competitors Misleading Claims

October 23, 2025
Game Developers Are Getting Fed Up With Their Bosses’ AI Initiatives

Game Developers Are Getting Fed Up With Their Bosses’ AI Initiatives

January 21, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio