In today’s digital environment, cyber attackers continue to develop new methods to bypass security defenses and compromise systems. A new strain of malware known as TCESB has been discovered exploiting a vulnerability in the ESET Security Scanner. This malware is the latest tool in a series of advanced attacks attributed to a Chinese affiliated threat actor and is part of a threat activity cluster known as ToddyCat that has been targeting entities in Asia since December 2020.
The Mechanics of the Threat
TCESB malware makes its entry by taking advantage of a flaw in the ESET Command Line Scanner. The vulnerability allows the insecure loading of a standard Microsoft library file named version.dll from the current directory rather than from protected system directories. As a result, attackers can substitute the legitimate version of this file with a malicious one, thereby seizing control of the execution flow on the infected device. This vulnerability was assigned CVE 2024 11859 and received a medium risk score. It was addressed and resolved by ESET in late January 2025 following responsible disclosure.
The malware is engineered in a way that it employs advanced techniques to bypass analysis. It is actually a modified variant of an open source tool called EDRSandBlast. TCESB is capable of altering operating system kernel structures so that notification routines in the system are disabled. In addition, it leverages a method known as bring your own vulnerable driver to install a Dell driver called DBUtilDrv2 sys from the Device Manager interface. This driver is susceptible to a known privilege escalation flaw tracked as CVE 2021 36276. Once the driver is in place, TCESB continuously monitors for the presence of a payload file using a predefined routine. These payloads are encrypted using AES 128 and are decrypted and executed automatically once they appear in the designated location.
Security researchers advise that organizations monitor installation events that involve drivers known to have vulnerabilities. It is also recommended to keep an eye on events associated with the loading of Windows kernel debug symbols on devices that are not expected to perform kernel debugging. Such measures can help to detect the early signs of a TCESB infection.
Conclusion
The emergence of TCESB malware represents a significant challenge in the continuous evolution of cyber threats. Its exploitation of a vulnerability in a trusted security tool underscores the need for constant vigilance and rapid response from cybersecurity professionals. As hackers develop increasingly sophisticated methods to infiltrate systems, organizations must adopt comprehensive security practices including regular patch updates, continuous monitoring, and robust incident response to safeguard their digital infrastructure.
About COE Security
COE Security is at the forefront of cybersecurity innovation and protection. We are dedicated to assisting organizations across government, defense, financial services, healthcare, education, and technology sectors. Our extensive services include advanced threat intelligence, continuous monitoring, responsive incident management, thorough security assessments, and penetration testing. We also provide expert guidance for regulatory compliance frameworks such as HIPAA PCI DSS and ISO 27001. At COE Security, our mission is to fortify your digital infrastructure and empower you with the tools to stay ahead of evolving threats.