Connect with us

Hi, what are you looking for?


Malware & Threats

Windows Zero-Day Exploited by North Korean Hackers in Rootkit Attack

North Korean group Lazarus exploited AppLocker driver zero-day CVE-2024-21338 for privilege escalation in attacks involving FudModule rootkit.

CVE-2024-21338 zero-day exploited by North Korea

The notorious North Korean threat group known as Lazarus exploited a Windows zero-day vulnerability for privilege escalation in attacks involving a rootkit named FudModule, according to cybersecurity firm Avast.

The vulnerability is tracked as CVE-2024-21338 and it was observed by Avast in Lazarus attacks last year. The security company developed a proof-of-concept (PoC) exploit and sent it to Microsoft in August 2023. 

The flaw was patched by Microsoft with the company’s February 2024 Patch Tuesday updates, but the initial advisory for CVE-2024-21338 did not list it as a zero-day. 

The tech giant updated its advisory on Wednesday to inform customers that exploitation of the vulnerability has been detected. 

A blog post published by Avast on Wednesday provides a detailed technical description of the vulnerability and how it has been exploited by Lazarus. 

The vulnerability impacts the ‘appid.sys’ driver associated with Microsoft’s AppLocker security feature. By targeting a vulnerability in a driver that is present on many systems — rather than using a bring your own vulnerable driver (BYOVD) approach — the attacker benefits from a higher degree of stealth. 

“By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place,” Avast explained.

By exploiting CVE-2024-21338, Lazarus hackers were able to elevate their privileges on the compromised system and establish a kernel read/write primitive. This enabled them to perform direct kernel object manipulation in an updated version of the FudModule rootkit, which came to light in 2022. 

Advertisement. Scroll to continue reading.

The new variant of the rootkit includes several improvements, including to make the malware more stealthy and to attempt to disable the AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro security software. 

The Lazarus attack observed by Avast also involved the use of a new remote access trojan (RAT), which the company will detail at a later time. 

It’s not uncommon for North Korean hackers to exploit zero-day vulnerabilities in their attacks.

Related: Microsoft Warns of Exploited Exchange Server Zero-Day

Related: Windows Zero-Day Exploited in Attacks on Financial Market Traders

Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.