ClickCease Lazarus Hacker Group Actively Exploiting Windows Kernel Flaw

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Lazarus Hacker Group Actively Exploiting Windows Kernel Flaw

Wajahat Raja

March 11, 2024 - TuxCare expert team

The cybersecurity world is abuzz with the revelation of Lazarus Group’s exploitation of a critical vulnerability in Windows Kernel. The Windows Kernel flaw, targeting CVE-2024-21338, has raised concerns due to its potential to grant attackers kernel-level access and disable security software, posing a significant threat to system integrity.


Origin and Evolution of the Windows Security Flaws

The vulnerability can be traced back to Windows 10 version 1703 (RS2/15063), which stemmed from the implementation of the 0x22A018 IOCTL handler. Its discovery and exploitation highlight the persistent challenges faced by software developers in fortifying against evolving
cybersecurity threats.

Cybersecurity vendor Avast uncovered an in-the-wild admin-to-kernel exploit for CVE-2024-21338, attributing it to the Lazarus Group. This exploit enabled the group to achieve a kernel read/write primitive, facilitating direct manipulation of kernel objects and the deployment of the FudModule rootkit.

The Lazarus hackers leveraged CVE-2024-21338 to exploit appid.sys, a crucial driver associated with Windows AppLocker. By bypassing security checks, the group executes arbitrary code, effectively evading detection mechanisms and running the FudModule rootkit with impunity.


Windows Kernel Flaw Privilege Escalation

The Lazarus Group, renowned for its sophisticated cyber operations, seized upon a recently patched privilege escalation flaw within the Windows Kernel as a
zero-day exploit. This flaw, CVE-2024-21338, carries a CVSS score of 7.8, indicating its severity and potential impact on affected systems.

This vulnerability, now infamous in cybersecurity circles, enables attackers to attain SYSTEM privileges by exploiting a vulnerability in the Windows Kernel. Microsoft addressed this vulnerability in its recent Windows security updates, underscoring the urgency of applying patches promptly to mitigate risks.

To exploit CVE-2024-21338, an attacker must first gain access to the targeted system. Subsequently, they can execute a specially crafted application designed to exploit the vulnerability, paving the way for unauthorized access and control of the compromised system.

Kernel-Level Access and Heightened Risk Assessment


When exploited, the Windows Kernel flaw grants attackers kernel-level access, a coveted privilege that enables them to manipulate system resources and execute arbitrary code. This elevated access facilitates the disabling of security software, exacerbating the threat landscape for affected users.

Initially categorized as not actively exploited, Microsoft revised its assessment of CVE-2024-21338 to “Exploitation Detected,” indicating a shift in the threat landscape. This heightened risk assessment underscores the urgency of addressing cybersecurity vulnerabilities to preempt potential attacks.

Lazarus Group Attacks, Evasion Techniques, and Targeted Software


In addition to disabling system loggers, the FudModule rootkit is adept at circumventing specific security software, including AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus. These evasion tactics enhance the stealth and persistence of the malware.

The Lazarus APT group‘s exploits exemplify the technical sophistication and cross-platform focus of North Korean hacking groups. These adversaries continuously refine their arsenal, leveraging advanced techniques to evade detection and perpetrate global cyber espionage operations.

Recent intelligence advisories have underscored the persistent threat posed by Lazarus and similar advanced persistent threat (APT) actors. Their tactics, ranging from targeting defense sectors to infiltrating judicial systems, highlight the breadth and versatility of their operations.

Heightened Vigilance and Mitigation Strategies


In light of this cybersecurity news, organizations and individuals are urged to remain vigilant and implement robust mitigation strategies. Timely applying Windows security patches, proactive threat intelligence, and user awareness training are essential components of a comprehensive cybersecurity posture.


The exploitation of CVE-2024-21338 by the Lazarus Group underscores the evolving nature of cyber threats and the importance of
proactive cybersecurity measures. As adversaries continue to innovate and adapt, it is imperative for stakeholders to collaborate, share intelligence, and fortify defenses to safeguard against emerging threats like the Lazarus Group cyberattacks. Only through collective effort and unwavering vigilance can we mitigate the risks posed by sophisticated cyber adversaries.

The sources for this piece include articles in The Hacker News and The Record.

Lazarus Hacker Group Actively Exploiting Windows Kernel Flaw
Article Name
Lazarus Hacker Group Actively Exploiting Windows Kernel Flaw
Learn about the latest cyber threat as Lazarus hackers exploit a critical Windows Kernel flaw. Stay informed, stay secure!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter