Avast reported that Lazarus exploited CVE-2024-21338, an admin-to-kernel zero-day patched by Microsoft in February 2024, to load an updated FudModule data-only rootkit. The exploit replaced the group's earlier BYOVD approach with abuse of a built-in Windows driver, making the chain stealthier. The refreshed rootkit targeted registry, object, process, thread, image, file-system minifilter, Windows Filtering Platform, Event Tracing for Windows, and image verification callbacks. It also used handle table entry manipulation in attempts to suspend Microsoft Defender, CrowdStrike Falcon, and HitmanPro processes.