FudModule

FudModule is a sophisticated Windows rootkit associated with North Korean threat activity, particularly Lazarus Group and the espionage-focused Labyrinth Chollima cluster; reporting also notes use by Golden Chollima and links to Citrine Sleet and Diamond Sleet, indicating shared DPRK tooling. Public reporting places its emergence by at least 2022, with earlier variants analyzed by ESET and AhnLab as using BYOVD techniques against vulnerable drivers such as dbutil_2_3.sys and ene.sys, and later variants evolving beyond BYOVD to admin-to-kernel or Local Service-to-kernel zero-day exploitation.

Its core purpose is to obtain kernel-level access on Windows while evading detection. Reported capabilities include establishing kernel read/write primitives, performing direct kernel object manipulation (DKOM), and conducting direct kernel manipulation from user space in so-called data-only rootkit variants. Avast reported an updated variant deployed after exploitation of CVE-2024-21338 in appid.sys, where Lazarus obtained a kernel read/write primitive and used FudModule to manipulate kernel structures. Reported stealth and defense-evasion behaviors include disabling multiple kernel callback mechanisms, ETW tampering, zeroing EtwpActiveSystemLoggers, disabling selected ETW providers from a hardcoded list, interfering with minifilters and WFP callouts, manipulating handle table entries, suspending protected security processes, and removing PPL protection from AhnLab V3’s asdsvc.exe. Specific targeted security products/processes mentioned in reporting include Microsoft Defender (MsSense.exe, MsMpEng.exe), CrowdStrike Falcon (CSFalconService.exe), HitmanPro (hmpalert.exe), and AhnLab V3.

The malware has been observed in exploit chains using multiple zero-days. Content directly links FudModule to exploitation of vulnerable drivers, Chrome/Chromium, and Windows vulnerabilities. Reported vulnerabilities associated with FudModule operations include CVE-2024-21338, CVE-2024-38106, and references to CVE-2024-38193. Microsoft reported that in August 2024 a North Korean actor attributed with medium confidence to Citrine Sleet exploited Chromium CVE-2024-7971, then used CVE-2024-38106 for a Windows sandbox escape, and finally deployed FudModule in memory for kernel-level access. Avast separately documented Lazarus using CVE-2024-21338 to deploy an updated FudModule variant. Prior attack chains also reportedly used Kaolin RAT to load FudModule.

Targeting described in the supporting content includes Windows-based systems, with broader victimology tied to DPRK operations against defense, aerospace, manufacturing, logistics, shipping, financial institutions, and cryptocurrency organizations. Labyrinth Chollima reporting specifically associates FudModule with espionage operations and notes direct kernel manipulation for stealth. Microsoft states Citrine Sleet targets financial institutions and cryptocurrency organizations, while CrowdStrike reporting ties FudModule to the core Labyrinth Chollima espionage unit and notes shared access to the tool across DPRK clusters.

High-confidence indicators directly mentioned in the content include domains voyagorclub[.]space and weinsteinfrog[.]com from a Microsoft-described 2024 exploitation chain, and sample hashes referenced in source collections related to Lazarus/FudModule activity: cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b, 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5, 381d3ba5fd446e53f1c71f05a2b97124382146b4c7f28884174334db7b347219, 4b1cba57928e02665be444a51937228c4d7315ff5e08c13a03bd7c77eebdcf5e, and d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca.