ToddyCat Deploys TCESB Malware by Exploiting ESET Flaw and Dell Driver Weakness
ToddyCat, a China-affiliated threat actor known for espionage-focused operations in Asia, has been linked to a recent campaign exploiting CVE-2024-11859—a DLL search order vulnerability in ESET’s Command Line Scanner. This flaw allowed attackers with administrator-level access to load a malicious DLL named “version.dll” by placing it in the same directory as the security tool, taking precedence over the legitimate Windows library. The malicious DLL, dubbed TCESB, was discovered in early 2024 by Kaspersky during investigations into ToddyCat activity. TCESB is designed to evade detection by disabling endpoint monitoring capabilities. Its deployment marks a new development in ToddyCat’s toolset, which previously relied on different persistence and lateral movement techniques. ESET patched the vulnerability in January 2025, releasing updates across all Windows-based security product lines. While the exploit does not provide privilege escalation, it enables arbitrary code execution through legitimate software, which complicates detection and response. The TCESB malware is a modified version of the open-source EDRSandBlast tool, adapted to interfere with Windows kernel-level monitoring by disabling callback routines used by defensive tools to detect system events. ToddyCat used a Bring Your Own Vulnerable Driver (BYOVD) technique to escalate its impact, installing the Dell driver DBUtilDrv2.sys. This approach has been used in past campaigns, including by North Korea’s Lazarus Group, and allows attackers to manipulate the system at a low level without triggering traditional alerts. Once the driver is active, TCESB runs a continuous loop every two seconds, watching for the presence of an AES-128-encrypted payload file in the working directory. When the payload is detected, it is decrypted and executed immediately without requiring a restart or user interaction. Although the actual payload content has not been recovered, this behavior strongly indicates a modular design, allowing attackers to execute additional components at will. Defenders are advised to monitor for installation of known vulnerable drivers and anomalous kernel debugging activity on systems where such behavior should not occur.
Threat Actors Exploit SourceForge to Deliver Cryptocurrency Malware via Fake Microsoft Add-ins
Threat actors have been caught abusing SourceForge's project hosting capabilities to distribute a malicious campaign masquerading as legitimate Microsoft Office add-in tools. The attackers created a fraudulent " officepackage " project that copied content from Microsoft's legitimate 'Office-Addin-Scripts' GitHub repository. Using SourceForge’s web hosting functionality, they set up a site that closely mimicked an authentic developer portal, complete with download buttons and tool descriptions. Search engine indexing helped the page surface in queries for "office add-ins," drawing in unsuspecting users who downloaded what appeared to be trusted developer utilities. The download package included a password-protected ZIP containing a 700MB MSI file, artificially inflated to bypass antivirus detection. Once executed, the installer unpacked a series of scripts and files—including UnRAR[.]exe, RAR archives, and VB scripts—that triggered the full infection chain. The infection begins by executing a script that probes the environment for sandboxing or AV tools and, if clean, proceeds to download and run another batch file to unpack malicious payloads. These include an AutoIT interpreter, a Netcat reverse shell, and two key DLL files—Icon[.]dll and Kape[.]dll—which function as a cryptocurrency miner and a clipper. The miner hijacks system resources to mine crypto for the attacker while the clipper monitors the clipboard and swaps any copied wallet addresses with attacker-controlled ones. System data is also exfiltrated via Telegram API, which the attacker can use to issue further payloads post-infection. Before the project was removed, Kaspersky tracked over 4,600 compromised systems, primarily in Russia. SourceForge has stated that no malicious files were hosted on their main site and that they acted quickly to remove the malicious web-hosted project. Additional controls are being implemented to prevent similar abuse through external links and redirects. This incident underscores the risks of trusting third-party mirrors and emphasizes the need to download tools directly from verified official sources.
WhatsApp for Windows Vulnerability (CVE-2025-30401) Could Enable Code Execution via File Spoofing
Meta has issued a critical update for WhatsApp on Windows after patching a vulnerability tracked as CVE-2025-30401, which could allow attackers to execute arbitrary code by sending specially crafted file attachments. The flaw, described as a spoofing issue, stems from WhatsApp displaying files based on their MIME type but executing them based on the file’s extension. This mismatch creates a dangerous scenario where users may believe they're opening a harmless document or media file but instead launch executable code embedded in the attachment. The vulnerability was present across all versions of WhatsApp for Windows before version 2.2450.6, which was released to address the issue. Meta credited an external researcher for discovering the flaw through its bug bounty program, although no in-the-wild exploitation has been confirmed. This vulnerability echoes similar flaws patched in mid-2024, where Python and PHP files could be silently executed if the recipient's device had compatible software installed. WhatsApp has become a recurring target for spyware deployment due to its global user base and communication encryption. In recent months, Citizen Lab uncovered a zero-click vulnerability used to install Paragon’s Graphite spyware, targeting Android users across more than two dozen countries. That exploit required no user interaction and was resolved through server-side mitigation without issuing a CVE due to Meta’s internal review policies. Additionally, court proceedings from December 2024 confirmed that the NSO Group used zero-day vulnerabilities in WhatsApp to deploy Pegasus spyware in zero-click attacks, impacting at least 1,400 users. Legal documents detailed how NSO developers reverse-engineered WhatsApp’s code to craft payloads that could silently install spyware through malicious messages. The repeated abuse of WhatsApp flaws by surveillance actors underscores the importance of applying updates immediately and treating suspicious attachments with caution—even from seemingly trusted contacts.
Update: Mirai-Based Botnet Targets TVT NVMS9000 DVRs Through Exploitable Credential Leak Vulnerability
A sharp rise in exploitation attempts targeting TVT NVMS9000 digital video recorders (DVRs) was observed on April 3, 2025, peaking with over 2,500 unique IPs scanning for vulnerable systems. The surge is tied to an information disclosure vulnerability disclosed in May 2024 by SSD Advisory, which published detailed instructions for exploiting the flaw to extract administrator credentials in plaintext using a single TCP request. Successful exploitation results in a full authentication bypass, giving attackers unrestricted access to DVR functions and commands. GreyNoise, which detected the activity, attributes the spike to a Mirai-based malware variant attempting to compromise exposed DVRs for botnet recruitment. Once compromised, these devices are often used to launch DDoS attacks, mine cryptocurrency, or act as proxies for other malicious operations. In the past month alone, GreyNoise flagged over 6,600 distinct IPs involved in this activity, all confirmed to be malicious and non-spoofable, with the bulk of attack traffic originating from Taiwan, Japan, and South Korea. The TVT NVMS9000 DVRs, manufactured by Shenzhen-based TVT Digital Technology, are commonly deployed in surveillance systems across the U.S., U.K., and Germany—regions where most targets are located. Despite their widespread use, the last known firmware update for these devices was released in 2018, raising concerns about long-term vendor support. SSD Advisory recommends updating to firmware version 1.3.4 or higher to mitigate the vulnerability, though this may be unfeasible for many end users due to the device's age. In such cases, restricting internet exposure of DVR ports and blocking inbound requests from malicious IP ranges published by GreyNoise are strongly advised. Signs of a successful Mirai infection include high CPU usage, frequent crashes, degraded performance, and unexplained outbound traffic. If compromise is suspected, users should immediately disconnect the DVR, perform a full factory reset, install the latest firmware, and segment it from sensitive networks. This incident highlights the continued risk posed by aging, internet-exposed IoT devices and the critical need for active lifecycle management in surveillance infrastructure.
