CyberLink installer served LambLoad

CyberLink's update infrastructure carried a poisoned installer in October and November 2023. The file was a legitimate CyberLink Promeo downloader modified to include LambLoad, then signed with a valid CyberLink Corp. certificate and hosted from CyberLink-owned update URLs.

Microsoft attributed the operation with high confidence to Diamond Sleet, the North Korean group formerly tracked as ZINC. The campaign touched more than 100 devices in Japan, Taiwan, Canada, the United States, and other countries. Microsoft notified CyberLink and affected Defender for Endpoint customers, reported the payload host to GitHub, and added the abused CyberLink certificate to its disallowed certificate list.

LambLoad first checked the host date against a configured execution window. It also looked for security tooling associated with CrowdStrike, FireEye, and Tanium. If the checks failed, the installer ran the expected CyberLink software and skipped the malicious path.

When the checks passed, the loader fetched a second stage hidden inside a fake PNG from GitHub Pages, Imgur, or a compromised web server. The payload was carved, decrypted, and launched in memory, then called back to compromised infrastructure for instructions. Microsoft had not identified hands-on-keyboard activity at publication, but treated launched code as full device compromise.

Motive

Espionage Data Theft

Attribution

State

Cause

Vendor Infrastructure Compromise

Transitive

No

Actor

Diamond Sleet

User Impact

100

• Diamond Sleet supply chain compromise distributes a modified CyberLink installermicrosoft.com
• North Korean attack on CyberLink impacted devices around the world, Microsoft saystherecord.media
• North Korean Hackers Distribute Malicious CyberLink Installer in Supply Chain Attackthehackernews.com
• Microsoft says North Korean hackers breached CyberLink in supply chain attackbleepingcomputer.com