CyberLink
CyberLink installer compromised to distribute malware.
A North Korean group tracked as Diamond Sleet or ZINC modified a legitimate CyberLink multimedia installer and signed it with a valid certificate. Hosted on CyberLink's update infrastructure, the LambLoad trojanized installer downloaded secondary payloads onto victim systems across multiple countries.
- Date
- 2023-10-20 to 2023-11-22
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Vendor infrastructure compromise
What Was Affected
Package
CyberLink
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
cyberlink.com
Compromised Versions
- Specific CyberLink application installers (e.g., Promeo reported) active around Oct/Nov 2023
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- User Impact
- 100
- Observed Duration
- 33 days
Evidence
Compromised Artifacts
- update.cyberlink.com/Retail/Promeo/RDZCMSFY1ELY/CyberLink_Promeo_Downloader.exe
- update.cyberlink.com/Retail/Patch/Promeo/DL/RDZCMSFY1ELY/CyberLink_Promeo_Downloader.exe
Current Artifacts and Analysis
- microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer
- virustotal.com/gui/file/166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be
- virustotal.com/gui/file/089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d
- virustotal.com/gui/file/915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1
Indicators and Changes
Hashes
sha256:166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8besha256:089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63dsha256:915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1
External References
Source Data
Source record: proprietary/cyberlink/meta.yaml