A newly identified vulnerability in ESET’s security software has been used to distribute malware in a targeted cyber campaign, according to The Record. Tracked as CVE-2024-11859, the flaw enables attackers to load a malicious dynamic-link library (DLL) through the ESET antivirus scanner. This allows malware to run in the background without triggering system alerts, remaining undetected on the affected devices. The campaign has been linked to a threat group known for targeting government and military systems.
ESET confirmed the presence of the flaw, rated as medium in severity with a CVSS score of 6.8, and issued a fix. Users were advised to update their systems to mitigate potential risks. While there is no evidence that the vulnerability has been actively exploited, investigations continue into how the flaw may have been used to deploy malware across different networks.
As part of the attack, a tool called TCDSB was disguised as a legitimate DLL file and deployed on victim systems. The tool appears to be a modified version of a known malware family designed to evade detection. It is capable of disabling key operating system components and suppressing security alerts, allowing the malware to function without drawing attention. TCDSB was found on multiple devices, though the full scope of the impact has not been disclosed.
The group behind the campaign has previously targeted digital infrastructure and government services across various regions, including Europe and Asia. Their operations often involve exfiltrating data through redundant tunneling methods, ensuring continued access even if one technique fails. While administrator privileges were required for this specific exploit, the approach reflects a broader trend of using advanced persistence and evasion tactics.
