Mandiant describes how North Korea-linked UNC2970 used Bring Your Own Vulnerable Driver techniques to support intrusion operations and evade endpoint defenses. Investigators recovered Share.DAT, decoded it into the in-memory LIGHTSHIFT dropper, and linked it to LIGHTSHOW, a VMProtect-packed utility that required a host-specific computer-name hash before fully executing. LIGHTSHOW dropped and loaded vulnerable legitimate drivers, including Dell DBUtil 2.3 and ENE Technology drivers seen in KDU-style tooling, registered a dummy SB_SMBUS_SDK.dll caller, and used kernel read/write primitives to patch routines that EDR products may monitor. The report notes overlap with AhnLab’s Lazarus BYOVD reporting and warns that UNC2970 is likely to continue abusing vulnerable vendor drivers.