North Korean Hackers Attacking CyberLink Users in supply-chain attack

In the ever-evolving realm of cybersecurity, Microsoft Threat Intelligence has uncovered a sophisticated supply chain attack orchestrated by the North Korean Hackers Diamond Sleet (ZINC). 

This ingenious attack involved tampering with a legitimate CyberLink Corp. application, deploying a malevolent variant that harbors a concealed second-stage payload. 


This devious file, cleverly disguised as a genuine CyberLink installer, has infiltrated over 100 devices worldwide, leaving an indelible mark on countries such as Japan, Taiwan, Canada, and the United States.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

The Artistry of Malicious Adaptation

Diamond Sleet’s modus operandi exhibits a remarkable level of artistry, extending to forging a file signed with a valid CyberLink Corp certificate. 

This file, strategically positioned within CyberLink’s update infrastructure, employs evasive tactics, limiting its execution time window to evade detection by security measures. 

With high confidence, Microsoft attributes this activity to Diamond Sleet, a North Korean threat actor notorious for targeting sectors such as information technology, defense, and media.

In response to this supply chain compromise, Microsoft swiftly executed a strategic defense plan:

  • Notifying CyberLink: Microsoft promptly alerted CyberLink of the breach, enabling them to take corrective actions and protect their customers.
  • Alerting Affected Customers: Microsoft Defender for Endpoint customers affected by this campaign were immediately notified, allowing them to take proactive steps to mitigate the threat.
  • Reporting to GitHub: Upon identifying the second-stage payload on GitHub, Microsoft promptly reported the attack, leading to its removal and safeguarding the platform’s users.
  • Blocking the Certificate: To prevent further exploitation, Microsoft added the CyberLink Corp. certificate to its list of prohibited items, effectively blocking its use for malicious purposes.
  • Categorizing the Threat: Microsoft’s security solutions detect and categorize this activity as Diamond Sleet within Microsoft Defender for Endpoint, providing users with clear and actionable information about the threat.

Diamond Sleet Unveiled

Diamond Sleet, formerly known as ZINC, emerges as a sophisticated North Korean threat group with a global reach. 

Specializing in espionage, data theft, financial gain, and network disruption, this group possesses an arsenal of exclusive custom malware. 

Microsoft’s report sheds light on Diamond Sleet’s recent exploits, intertwining with activities tracked by other security entities under monikers like Temp.Hermit and Labyrinth Chollima.

Delving into the technical nuances, Microsoft observed the modified CyberLink installer’s suspicious activity as early as October 20, 2023. 

Diamond Sleet’s playbook involves exfiltrating sensitive data, compromising software build environments, and establishing persistent access in victim environments.

LambLoad Unleashed

LambLoad, Diamond Sleet’s weaponized downloader and loader, conceals its malicious code within a legitimate CyberLink application. 

The loader, bearing the SHA-256 hash 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be, meticulously checks execution conditions before proceeding.

Microsoft issues key recommendations to protect organizations against this threat:

  • Employ Microsoft Defender Antivirus with cloud-delivered protection: This comprehensive solution provides real-time protection against a wide range of threats, including Diamond Sleet’s malicious code.
  • Activate network protection: Network protection capabilities in Microsoft Defender for Endpoint help thwart access to malicious domains, preventing the initial stage of the attack.
  • Enable automated investigation and remediation: Microsoft Defender for Endpoint automates the investigation and remediation process, minimizing the impact of attacks and reducing manual intervention.
  • Swiftly address malicious activity: Upon detection, promptly isolate affected systems and reset credentials to prevent further compromise.
  • Implement attack surface reduction rules: Attack surface reduction rules block untrusted executable files, preventing the execution of malicious code.

Decrypting the Code

Technical insights reveal LambLoad’s maneuvers, utilizing compromised domains for callbacks and concealing its payload within PNG files. 

For independent analysis, Microsoft offers a decryption script, enabling security researchers to dissect the malware and gain deeper insights into its inner workings.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint stand vigilant, detecting and categorizing threat components associated with Diamond Sleet’s arsenal. 

This continuous monitoring ensures that organizations remain protected against the evolving tactics, techniques, and procedures employed by this sophisticated threat actor.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.