Bypass Record

DLL Side-Loading × ESET Endpoint Protection (Command Line Scanner ecls.exe)

A publicly-reported instance of DLL Side-Loading bypassing ESET Endpoint Protection (Command Line Scanner ecls.exe), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

ESET Endpoint Protection (Command Line Scanner ecls.exe)

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2025-04-07

Config / version noted

Not stated

Provenance

cyberinsider.com
disclosed 2025-04-07 · original source · via raw

Reported as

ToddyCat APT group exploited CVE-2024-11859, a DLL sideloading vulnerability in ESET's command-line scanner (ecls.exe)

Mechanism

Attackers placed a malicious version.dll in the same directory as ESET's ecls.exe, which insecurely loads the DLL from its current directory before system paths. The malicious DLL proxies legitimate exports while executing TCESB malware. TCESB then uses the vulnerable Dell driver (CVE-2021-36276) via BYOVD to modify kernel structures and disable process creation notifications, enabling stealthy payload execution.

Detection & mitigation

Monitor for unexpected version.dll loads from non-system directories by ecls.exe. Deploy WDAC or driver blocklists to prevent loading of known vulnerable drivers like Dell's DBUtilDrv2.sys. Audit and restrict DLL search paths for security tools.

DLL Side-Loading has also been recorded against

eScan McAfee Microsoft SentinelOne Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.