Avast attributed exploitation of CVE-2024-21338, a then unknown zero-day in the Windows appid.sys AppLocker driver, to Lazarus activity aimed at gaining kernel read and write capability. That access let Lazarus run an updated data-only FudModule rootkit with new stealth techniques, including handle table entry manipulation intended to suspend Protected Process Light security processes tied to Microsoft Defender, CrowdStrike Falcon, and HitmanPro. Avast says the campaign moved beyond noisier BYOVD tradecraft by exploiting a driver already present on target systems, making detection harder. The investigation also recovered parts of the infection chain and identified a new Lazarus-attributed RAT, with additional details reserved for later publication.