West Houston, TXImpress IT Solutions, a leading cybersecurity and IT support provider in West Houston, is urging businesses to stay alert after the discovery of a dangerous new malware campaign. A previously unknown threat called TCESB malware is being deployed in active attacks by a sophisticated hacking group exploiting a vulnerability in ESET’s Command Line Scanner, a widely used security tool.

“This attack shows how even trusted security tools can become part of a threat actor’s delivery mechanism,” said a cybersecurity specialist from Impress IT Solutions. “It’s a reminder that businesses need layered security and expert guidance, not just antivirus software.”

What Is TCESB Malware and Why Should West Houston Businesses Care?

TCESB is a new malware strain linked to the Chinese-affiliated threat group ToddyCat, known for stealthy and persistent cyberattacks across Asia since at least 2020. The malware is specially crafted to bypass protection tools, evade detection, and execute hidden payloads—and it’s doing so by exploiting a flaw in ESET’s software.

The attack relies on a technique called DLL Search Order Hijacking, using a malicious version of a normally safe file, version.dll. The vulnerability, now tracked as CVE-2024-11859, was quietly fixed by ESET in January 2025, but thousands of systems may still be unpatched.

“This flaw allowed attackers with admin access to load a malicious DLL instead of the legitimate Microsoft one,” explained the Impress team. “Once the malware is inside, it can silently alter system behavior, disable protections, and wait for follow-up payloads to appear.”

How the Attack Works

Impress IT Solutions broke down the process for local companies:

  1. Initial Access – The attacker must already have admin rights on a system (often obtained through phishing or another exploit).
  2. Hijacking ESET Tools – They plant a fake version.dll in a temporary directory, which ESET’s scanner unknowingly loads.
  3. Malware Execution – The planted DLL triggers TCESB, which disables system protections using kernel manipulation and loads hidden payloads.

One of the most concerning aspects is that TCESB uses a technique known as Bring Your Own Vulnerable Driver (BYOVD)—installing an old, exploitable Dell driver (DBUtilDrv2.sys) to gain deeper access and disable security monitoring tools.

This tactic has been abused before, including by North Korean groups, and it allows attackers to gain elevated privileges without triggering standard alarms.

Impress IT’s Advice for West Houston Organizations

Even though ESET has patched the vulnerability, many businesses remain at risk if updates haven’t been applied. Impress IT Solutions recommends:

  • Immediate patching of ESET and all security software across endpoints.
  • Monitoring for suspicious DLL activity, especially in temporary directories.
  • Review of driver installation logs, checking for outdated or vulnerable drivers.
  • System-wide malware and integrity scans, especially in developer and admin workstations.

“Local companies often think of antivirus as a silver bullet,” the Impress team noted, “but hackers now use that same software as an attack vector. That’s why expert cybersecurity monitoring is crucial.”

Defend Against Evolving Malware with Impress IT Solutions

Impress IT Solutions offers tailored cybersecurity services for West Houston businesses, including:

  • Patch and vulnerability management
  • Endpoint detection and response (EDR)
  • Threat intelligence monitoring
  • Incident response and forensic analysis
  • Staff training and phishing simulations

If you’re unsure whether your systems are vulnerable—or just want peace of mind—Impress IT Solutions offers complimentary assessments for local businesses.

 

Cyber Security

Protect your IT environment with enterprise-grade security solutions designed to prevent, detect, and respond to cyber threats.