Attacks exploiting a medium-severity ESET antivirus scanner vulnerability, tracked as CVE-2024-11859, have been conducted by the advanced persistent threat operation ToddyCat to facilitate clandestine malware compromise, according to The Record, a news site by cybersecurity firm Recorded Future.
ToddyCat had leveraged the flaw to load a new DLL-masquerading TCDSB tool which is based on the EDRSandBlast tool into ESET security software to enable payload execution without being detected by security and monitoring systems, a report from Kaspersky showed. TCDSB was noted to have its code potentially altered to allow operating system component changes and system alert deactivation, noted Kaspersky researchers. However, ESET, which has already addressed the vulnerability in an update last week, denied active exploitation of the security issue. Such a development comes after ToddyCat, whose origin remains uncertain, was reported by Kaspersky to have targeted Asia-Pacific government organizations as part of a massive data exfiltration campaign that involved breaching VPN and cloud service providers.
The vulnerability, tracked as CVE-2026-4372, was exploitable through a standard model-loading command, even when Hugging Face’s recommended security setting "trust_remote_code=False" was enabled.
