Aliases
LIGHTSHOW
Tags
Rootkit
References
Last edited
Feb 19, 2025 2:50 PM
FudModule is a user-mode DLL rootkit associated with the North Korean threat actor group known as Lazarus Group. It gains the ability to read and write arbitrary kernel memory via the Bring Your Own Vulnerable Driver (BYOVD) technique, allowing it to disable Windows system monitoring features by modifying kernel variables and removing kernel callbacks. This effectively blinds security solutions, including Endpoint Detection and Response (EDR) systems, firewalls, and antivirus software. FudModule has been deployed in attacks exploiting zero-day vulnerabilities, such as CVE-2024-21338 and CVE-2024-38193, to escalate privileges and execute kernel-level code.