A recently disclosed software vulnerability in ESET security products has been identified as a potential vector for discreet malware installation, according to findings published by the cybersecurity company Kaspersky.

Catalogued as CVE-2024-11859, the flaw permits the execution of a malicious dynamic-link library (DLL) by leveraging ESET's own antivirus scanning process. If exploited, the technique allows unauthorised code to run silently, bypassing standard system warnings and activity logs.

ESET, headquartered in Slovakia, acknowledged the issue in an advisory and issued a software update addressing the flaw. The company assigned it a medium severity rating, with a Common Vulnerability Scoring System (CVSS) score of 6.8 out of 10. ESET further indicated there is no current evidence that the vulnerability has been actively exploited in operational environments.

Kaspersky attributed the technique to a threat actor group known as ToddyCat, which has been observed since 2020 conducting operations against governmental and defence-related targets. While Kaspersky referenced the use of two specific DLLs in its analysis, ESET reported that it had not received samples of the files and could not independently confirm the attribution.

The malicious tool deployed in this case, named TCDSB by researchers, was disguised as a legitimate Windows DLL and designed to evade monitoring tools. The code appears to be a modified variant of EDRSandBlast, a known framework used to circumvent endpoint detection systems.

Modifications introduced in TCDSB are believed to enable interference with operating system components, suppressing alerts typically generated when new processes are initiated or external files loaded. Kaspersky reported multiple instances of the tool but did not identify affected organisations.

While no specific nation-state connection has been confirmed, ToddyCat has previously been associated with activities targeting institutions in Europe and Asia, as well as digital infrastructure in locations such as Taiwan and Vietnam. Some prior research has linked the group to broader cyber-espionage efforts attributed to Chinese interests.

According to ESET, successful use of the CVE-2024-11859 vulnerability requires existing administrative access to the target system, limiting the attack vector to post-compromise scenarios.

Kaspersky noted that the group employs a range of tunnelling techniques for data exfiltration, including abuse of virtual private networks and cloud services, often maintaining multiple exfiltration routes to ensure persistence even when individual channels are disrupted.