Security News > 2024 > February > Lazarus hackers exploited Windows zero-day to gain Kernel privileges
North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD techniques.
Avast reports that Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive in an updated version of its FudModule rootkit, which ESET first documented in late 2022.
Sys driver to call an arbitrary pointer, tricking the kernel into executing unsafe code, thus bypassing security checks.
The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation operations to turn off security products, hide malicious activities, and maintain persistence on the breached system.
The targeted security products are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.
The only effective security measure is to apply the February 2024 Patch Tuesday updates as soon as possible, as Lazarus' exploitation of a Windows built-in driver makes the attack particularly challenging to detect and stop.
News URL
Related news
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach (source)
- Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-13 | CVE-2024-21338 | Unspecified vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 0.0 |