A sophisticated APT tracked as ToddyCat has exploited an ESET DLL search order hijacking vulnerability for malware delivery.
April 8, 2025 By Ionut Arghire
A vulnerability impacting multiple ESET products has been exploited by an APT group to load malicious DLL libraries and silently deploy malware, Kaspersky reports.
The issue, tracked as CVE-2024-11859, is described as a DLL search order hijacking flaw that could be exploited by attackers with administrative privileges for arbitrary code execution.
According to Kaspersky, the bug was exploited by a sophisticated APT group tracked as ToddyCat to deploy TCESB, a complex tool written in C++ that can “stealthily execute payloads in circumvention of protection and monitoring tools installed on the device”.
Analysis of 2024 ToddyCat-related incidents led Kaspersky to the discovery of an extensionless executable file that was identified as a component of an ESET command line scanner, which the APT mistakenly left on an infected system.
