Chinese ToddyCat Hackers Exploit ESET Antivirus Flaw in Shocking Malware Campaign

A dangerous cyber group called ToddyCat, linked to China, has been using a serious bug in ESET antivirus software to launch malicious attacks. Antivirus software is designed to protect computers from viruses and hackers, but in this case, a flaw in the system has opened the door for attackers to sneak in harmful programs.

The bug, known as CVE-2024-11859, involves something called DLL search order hijacking. This sounds complex, but it’s simple to understand.

When ESET antivirus runs certain tools, they need help from small files called DLLs. These files act like instruction guides for programs. Normally, the tools should look for these files in safe, trusted folders. But in this case, the ESET tool first checks the folder it is running from.

Hackers use this to their advantage. They place a fake, harmful DLL file in that folder. The tool then picks up the bad file instead of the real one. It runs the malicious file, thinking it’s safe.

Critical Vulnerabilities: The Dark Side of Pacemaker Technology

The problem was discovered last year by cybersecurity researchers at Kaspersky. ESET released a fix for the flaw in January 2024. However, not every user or business installs updates right away, and ToddyCat has taken advantage of this delay to carry out secret attacks on vulnerable systems.

How Do the Hackers Use It?

ToddyCat’s method isn’t something a beginner hacker could pull off. It requires the attacker to already have high-level access to the computer system they want to target. That means this isn’t just a random virus that spreads through emails or downloads. Instead, hackers use it in more advanced cyberattacks after they gain access to a network and want to stay hidden while causing more damage.

Once inside a system, ToddyCat places a file called version.dll in a temporary folder. Because of the bug, when ESET’s Command Line Scanner is launched, it sees this file and loads it, thinking it’s a safe system file. But this version.dll is actually a harmful file that starts a chain reaction.

The loaded file runs a special type of malware called TCESB. It is written in the C++ programming language. Once it starts, TCESB checks which version of Windows is running. Then it turns off alerts that would normally warn users about strange activity.

Next, it installs a weak piece of software called a vulnerable driver. This helps the malware hide from security tools.

After that, TCESB launches one last harmful file. This part is especially worrying. Researchers don’t know what it does because they couldn’t get a sample of it.

Cybersecurity researchers noticed this behavior while investigating ToddyCat’s past attacks. Researchers found the version.dll file on multiple infected computers. ToddyCat had never used this file before, which shows the group constantly searches for new ways to bypass security systems. The attackers clearly designed the file to perform its tasks quietly without triggering any red flags on the infected computers.

Cyber Attacks on Connected Cars

Which ESET Products Are Affected?

The bug affects many different versions of ESET antivirus software, including both consumer and business products. This means that it’s not just home computers that are at risk, but also office computers and even servers used in large companies.

Kaspersky has released special indicators of compromise (IoCs) to help organizations check whether hackers have targeted them. These IoCs reveal signs of infection, such as suspicious files or actions performed by the malware. Kaspersky recommends checking for unknown files like version.dll and examining installed drivers for known vulnerabilities or outdated versions.

This situation is a strong reminder that keeping software updated is one of the most important steps in staying safe from cyberattacks. Even trusted programs like antivirus tools can become dangerous if flaws aren’t fixed and updates aren’t applied quickly.

Renuka Bangale
Renuka Bangale
Renuka is a distinguished Chartered Accountant and a Certified Digital Threats Analyst from Riskpro, renowned for her expertise in cybersecurity. With a deep understanding of cybercrimes, malware, cyber warfare, and espionage, she has established herself as an authority in the field. Renuka combines her financial acumen with advanced knowledge of digital threats to provide unparalleled insights into the evolving landscape of information security. Her analytical prowess enables her to dissect complex cyber incidents, offering clarity on risks and mitigation strategies. As a key contributor to Newsinterpretation’s information security category, Renuka delivers authoritative articles that educate and inform readers about emerging threats and best practices.

TOP 10 TRENDING ON NEWSINTERPRETATION

“Pay more and enjoy nothing”—Newsom torches Trump’s tariff push as costs for food, cars, and flights soar

California Governor Gavin Newsom has strongly criticized President Donald...

Eric Trump explodes on Newsmax — claims Biden tried to break up Donald and Melania’s marriage

Eric Trump has sparked fresh controversy after making a...

Republicans brace as AOC’s rising momentum threatens to upend 2026 and 2028 elections

Republicans warn their party not to underestimate Representative Alexandria...

WestJet Reveals Passenger Data Breach Raising Security Concerns

Canadian airline WestJet has confirmed that some passenger information...

Japanese beer giant Asahi confirms cyberattack halts shipping and ordering in Japan temporarily

Japanese beer giant Asahi has confirmed a cyber attack...

Leaked emails expose Epstein’s secret hand in Israel–Mongolia security pact with Barak

A new set of leaked emails shows Jeffrey Epstein...

Award stage turns battlefield as Harris brands Trump an unchecked, incompetent and unhinged President

Kamala Harris, the former vice president and 2024 Democratic...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...

The privacy-first app that just blew past 350,000 new users a day

Explosive Growth Surprises Users Arattai, the messaging app developed by...

Federal firepower hits AOC’s Queens district as FBI targets Roosevelt Avenue crime empire

The FBI has moved into action in Queens, New...

Republicans brace as AOC’s rising momentum threatens to upend 2026 and 2028 elections

Republicans warn their party not to underestimate Representative Alexandria...

WestJet Reveals Passenger Data Breach Raising Security Concerns

Canadian airline WestJet has confirmed that some passenger information...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...

Related Articles

Popular Categories

error: Content is protected !!