Fudmodule rootkit

Aliases

LIGHTSHOW

Tags

Rootkit

Techniques

Bring Your Own Vulnerable Driver Direct Kernel object manipulation

References

https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodulehttps://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/https://thehackernews.com/2024/08/north-korean-hackers-deploy-fudmodule.html

Last edited

Feb 19, 2025 2:50 PM

FudModule is a user-mode DLL rootkit associated with the North Korean threat actor group known as Lazarus Group. It gains the ability to read and write arbitrary kernel memory via the Bring Your Own Vulnerable Driver (BYOVD) technique, allowing it to disable Windows system monitoring features by modifying kernel variables and removing kernel callbacks. This effectively blinds security solutions, including Endpoint Detection and Response (EDR) systems, firewalls, and antivirus software. FudModule has been deployed in attacks exploiting zero-day vulnerabilities, such as CVE-2024-21338 and CVE-2024-38193, to escalate privileges and execute kernel-level code.