{ "id": "5486ad23-3c06-4b5f-b9c2-2dd12dfa17bd", "created_at": "2026-04-06T00:09:54.552969Z", "updated_at": "2026-04-10T03:33:16.34623Z", "deleted_at": null, "sha1_hash": "fefe53dbacda88651b2a5a3a84ca4802aeb1b595", "title": "How ToddyCat tried to hide behind AV software", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 884826, "plain_text": "How ToddyCat tried to hide behind AV software\r\nBy Andrey Gunkin\r\nPublished: 2025-04-07 · Archived: 2026-04-05 17:22:33 UTC\r\nTo hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of\r\nthese techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response\r\ntools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in\r\nparticular malicious drivers. However, in the latest versions of Windows, kernel-mode drivers are loaded only if\r\ndigitally signed by Microsoft. Attackers get round this protection mechanism by using legitimate drivers that have\r\nthe right signature, but contain vulnerable functions that allow malicious actions in the context of the kernel.\r\nMonitoring tools track the installation of such drivers and check applications that perform it. But what if a security\r\nsolution performs unsafe activity? Such software enjoys the trust of monitoring tools and doesn’t raise suspicions.\r\nAnd that’s precisely what ToddyCat attackers exploited by running their tool in the context of a security solution.\r\nDetection\r\nIn early 2024, while investigating ToddyCat-related incidents, we detected a suspicious file named version.dll in\r\nthe temp directory on multiple devices.\r\nThis 64-bit DLL, written in C++, turned out to be a complex tool called TCESB. Previously unseen in ToddyCat\r\nattacks, it is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed\r\non the device.\r\nKaspersky products detect this tool as Trojan.Win64.ToddyCat.a, Trojan.Win64.ToddyCat.b.\r\nDLL proxying\r\nStatic analysis of the DLL library showed that all functions exported by it import functions with the same names\r\nfrom the system file version.dll (Version Checking and File Installation Libraries).\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 1 of 9\n\nList of functions exported by TCESB\r\nThis indicates that the attackers use a DLL-proxying technique (Hijack Execution Flow, T1574) to run the\r\nmalicious code. By means of this technique, a malicious DLL exports all functions of a legitimate one, but instead\r\nof implementing them, redirects calls to these functions to the original DLL. This way, an application that loads\r\nthe malicious library will continue to work as normal, with the malicious code running in the context of this\r\napplication in the background.\r\nSchematic of DLL proxying\r\nHowever, this is not enough to launch malware. For a malicious DLL to be able to take control, the application\r\nthat loads it must contain insecure code. Such code searches for loaded dynamic library images in folders where\r\nthey should not be located. If one of these folders contains a malicious library, the vulnerable application will load\r\nit instead of the legitimate one. Microsoft has an official advisory on preventing unsafe DLL loading.\r\nCVE-2024-11859 vulnerability in ESET Command line scanner\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 2 of 9\n\nIt took us a while to find the file that loads the TCESB tool. We studied the system directories on devices where\r\nthe malicious DLLs were found. On one of these, in the same folder as TCESB, there was an extensionless\r\nexecutable file named ecls. We believe that the operator, when transferring files to the device, made a mistake in\r\nthe filename and moved two copies of it. After performing malicious activity, the file with the extension was\r\ndeleted, while the other one remained in the system. This file turned out to be a component of ESET’s EPP\r\nsolution – a scanner launched from the command line (ESET Command line scanner). Dynamic analysis showed\r\nthat the scanner insecurely loads the system library version.dll, first checking for the file in the current directory,\r\nthen searching for it in the system directories. This can result in a malicious DLL library being loaded, which\r\nconstitutes a vulnerability. We compiled a report with a detailed description of it, and sent it to ESET as part of the\r\nCoordinated Vulnerability Disclosure process. ESET registered the CVE-2024-11859 vulnerability, then on\r\nJanuary 21, 2025 released an update for the ecls file patching the security issue. On April 4, information about this\r\nvulnerability appeared in an ESET security advisory.\r\nTo analyze TCESB, we ran it in a virtual environment. In the address space of the ESET Command-line scanner\r\nprocess, we can see two version.dll files. One is the system library, the other is the DLL of the TCESB tool.\r\nMalicious and legitimate libraries in the memory of the ecls.exe process\r\nBasic functionality\r\nTo determine the main functions of the malicious tool, we examined the strings located in its DLL.\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 3 of 9\n\nSnippet of the list of strings that TCESB contains\r\nThe strings are not obfuscated. The search shows that most of them belong to the open-source malicious tool\r\nEDRSandBlast, designed to bypass security solutions. Kaspersky solutions detect it with the verdict\r\nHEUR:HackTool.Win64.EDRSandblast.a. ToddyCat created the TCESB DLL on its basis, modifying the original\r\ncode to extend the malware’s functionality. The resulting tool’s capabilities include modifying operating system\r\nkernel structures to disable notification routines, for example, about a process creation event in the system or a\r\nload event.\r\nSearching for addresses in the kernel memory\r\nTo find the structures in the kernel memory needed to disable notification routines, TCESB determines the version\r\nof the Windows kernel in the context of which it is running. To do this, it uses the GetNtoskrnlVersion() function.\r\nFunction for getting the Windows kernel version implemented in TCESB\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 4 of 9\n\nNext, to get information about the memory offsets of the structures corresponding to the operating system kernel\r\nversion, TCESB uses one of two data sources: a CSV or PDB file.\r\nFirst, the tool checks the CSV file contained in its own resources section. Stored there in table form is information\r\nabout several popular kernel versions and their corresponding offsets.\r\nTCESB searches this file line by line for a match with the previously obtained version of the current Windows\r\nkernel.\r\nSnippet of the function for getting and reading a CSV file from TCESB resources\r\nWe studied the CSV file in the EDRSandBlast repository and its change history. The contents of the TCESB CSV\r\nfully match the CSV data in the EDRSandBlast version of August 13, 2022, while the original malware commit of\r\nOctober 6, 2023 adds lines that are missing in the TCESB resource. This indicates a time period during which the\r\ncreators of TCESB used the EDRSandBlast code.\r\nIf the CSV file does not contain data on structures corresponding to the required kernel version, TCESB reads\r\ntheir addresses from the PDB file. To get it, the malware accesses the file C:\\Windows\\System32\\ntoskrnl.exe,\r\nwhich contains information about the kernel file version, and inserts the data from this file into the following\r\ntemplate, generating a URL:\r\nhttps://msdl.microsoft.com/download/symbols/%s/%08X%04hX%04hX%016llX%X/%s\r\nThis is the address of Microsoft debug information server, where TCESB sends a GET request to download the\r\nPDB file. The received file is saved in the current TCESB directory, and data on the offsets of the required kernel\r\nmemory structures are read from it.\r\nVulnerable driver\r\nTo modify the kernel structures that store callbacks used to notify applications of system events, TCESB deploys\r\nthe Bring Your Own Vulnerable Driver (BYOVD) technique (Exploitation for Defense Evasion, T1211). It does\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 5 of 9\n\nthis by installing a vulnerable driver in the system through the Device Manager interface, using an INF file with\r\ninstallation information.\r\nSnippet of decompiled code for installing the TCESB driver\r\nTCESB uses the Dell DBUtilDrv2.sys driver, which contains the CVE-2021-36276 vulnerability. This is a utility\r\ndriver used to update PC drivers, BIOS and firmware.\r\nLaunching the payload\r\nOnce the vulnerable driver is installed in the system, TCESB runs a loop in which it checks every two seconds for\r\nthe presence of a payload file with a specific name in the current directory – the payload may not be present at the\r\ntime of launching the tool. Presumably, this is to allow the operator to verify that the tool was run without errors,\r\nso that the payload file can be moved without risk of detection. As soon as the file appears in the path being\r\nchecked, it is passed to the decryption function.\r\nSnippet of decompiled TCESB code\r\nThe tool creates its own log file for recording all stages of execution in detail.\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 6 of 9\n\nExample of log file contents\r\nWe studied two samples of the TCESB tool. Although we were unable to obtain the payload files, our research\r\nshows that they have different names ( kesp and ecore) and both are extensionless.\r\nOur analysis of the tool code found that the data in the payload file is encrypted using AES-128.\r\nSnippet of code for determining the encryption algorithm\r\nThe decryption key is in the first 32 bytes of the payload file, followed by the encrypted data block. Below is a\r\nsnippet of code for reading the key:\r\nSnippet of code for reading the key from the payload file\r\nThe key decrypts the data block:\r\nSnippet of code for reading and decrypting the payload file\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 7 of 9\n\nThe read data is placed in memory and executed.\r\nTakeaways\r\nWe discovered a sophisticated tool that the ToddyCat APT group tried to use for stealth execution in compromised\r\nsystems. This tool exploits a chain of vulnerabilities, as well as an old version of a known open-source malware\r\nthat the attackers modified to extend its functionality.\r\nSchematic of tool operation\r\nTo detect the activity of such tools, it’s recommended to monitor systems for installation events involving drivers\r\nwith known vulnerabilities. Lists of such drivers can be found on the loldrivers project website, for example. It’s\r\nalso worth monitoring events associated with loading Windows kernel debug symbols on devices where\r\ndebugging of the operating system kernel is not expected. We also advise using operating system tools to check all\r\nloaded system library files for the presence of a digital signature.\r\nIndicators of compromise\r\nMalicious Files Hashes\r\nD38E3830C8BA3A00794EF3077942AD96       version.dll\r\n008F506013456EA5151DF779D3E3FF0F       version.dll\r\nLegitimate file for DLL proxying\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 8 of 9\n\n8795271F02B30980EBD9950FCC141304       ESET Command-line scanner\r\nLegitimate files for BYOVD\r\nB87944DCC444E4C6CE9BB9FB8A9C0DEF       dbutildrv2.INF\r\nDE39EE41D03C97E37849AF90E408ABBE       DBUtilDrv2.cat\r\nDACB62578B3EA191EA37486D15F4F83C       dbutildrv2.sys\r\nSource: https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nhttps://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/" ], "report_names": [ "116086" ], "threat_actors": [ { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434194, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fefe53dbacda88651b2a5a3a84ca4802aeb1b595.pdf", "text": "https://archive.orkl.eu/fefe53dbacda88651b2a5a3a84ca4802aeb1b595.txt", "img": "https://archive.orkl.eu/fefe53dbacda88651b2a5a3a84ca4802aeb1b595.jpg" } }