FudModule (Malware Family)

FudModule

aka: LIGHTSHOW

VTCollection

FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.

References

2026-02-01 ⋅ splintersfury ⋅ Ahmad Abdillah Bin Zaini
KernelSight: Windows Kernel Driver Exploitation Knowledge Base
BlackByte FudModule Nokoyawa Ransomware

2024-09-19 ⋅ Gen Digital ⋅ Luigino Camastra
Evolution of Lazarus ‘FudModule - no longer (stand)alone’
FudModule

2024-08-30 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
North Korean threat actor Citrine Sleet exploiting Chromium zero-day
FudModule Lazarus Group

2024-04-18 ⋅ Avast ⋅ Luigino Camastra
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
FudModule Kaolin RAT

2024-02-28 ⋅ Avast Decoded ⋅ Jan Vojtěšek
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day
FudModule

2023-03-20 ⋅ SecurityIntelligence ⋅ John Dwyer
When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
FudModule

2023-03-09 ⋅ Mandiant ⋅ Mandiant Intelligence
Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
FudModule

2023-02-21 ⋅ SecurityIntelligence ⋅ Ruben Boonen
Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
FudModule

2022-10-24 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team
Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique
FudModule LazarDoor Racket Downloader

2022-09-30 ⋅ Virus Bulletin ⋅ Matěj Havránek, Peter Kálnai
Lazarus & BYOVD: evil to the Windows core
FudModule

2022-09-30 ⋅ ESET Research ⋅ Peter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE

2022-09-22 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD
FudModule

Yara Rules

[TLP:WHITE] win_fudmodule_auto (20260504 | Detects win.fudmodule.)

rule win_fudmodule_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.fudmodule."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883c701 d2d8 fec0 f6d0 }
            // n = 4, score = 100
            //   4883c701             | dec                 ecx
            //   d2d8                 | mov                 dword ptr [esp + 0x9e0], eax
            //   fec0                 | not                 si
            //   f6d0                 | xor                 si, di

        $sequence_1 = { 440fb74318 488d4c2420 4803d3 e8???????? 488d4c2420 e8???????? }
            // n = 6, score = 100
            //   440fb74318           | mov                 ebx, eax
            //   488d4c2420           | inc                 cx
            //   4803d3               | cmp                 dword ptr [ebx + 0x120], eax
            //   e8????????           |                     
            //   488d4c2420           | jbe                 0x6e
            //   e8????????           |                     

        $sequence_2 = { 488d4c1005 493bce 7503 41ffc1 453bc8 7e27 }
            // n = 6, score = 100
            //   488d4c1005           | arpl                cx, ax
            //   493bce               | dec                 eax
            //   7503                 | lea                 edx, [esp + 0x34]
            //   41ffc1               | inc                 esp
            //   453bc8               | movzx               eax, word ptr [esp + eax + 0x60]
            //   7e27                 | inc                 esp

        $sequence_3 = { 488d6c24c9 4881ecd0000000 488b05???????? 4833c4 48894527 33c0 4533ed }
            // n = 7, score = 100
            //   488d6c24c9           | movzx               eax, word ptr [ebx + 0x18]
            //   4881ecd0000000       | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | lea                 ecx, [esp + 0x20]
            //   48894527             | dec                 eax
            //   33c0                 | add                 edx, ebx
            //   4533ed               | dec                 eax

        $sequence_4 = { 4889fa 66d3d1 66c1d90f 660fadc9 4889d9 f5 }
            // n = 6, score = 100
            //   4889fa               | mov                 dword ptr [ebp + 0x27], eax
            //   66d3d1               | xor                 eax, eax
            //   66c1d90f             | inc                 ebp
            //   660fadc9             | xor                 ebp, ebp
            //   4889d9               | jae                 0x2b
            //   f5                   | dec                 eax

        $sequence_5 = { 488d15cc390000 488bce 488905???????? ff15???????? }
            // n = 4, score = 100
            //   488d15cc390000       | mov                 ecx, esi
            //   488bce               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_6 = { 6641398320010000 7664 8bce 4863c1 488d542434 440fb7440460 }
            // n = 6, score = 100
            //   6641398320010000     | mov                 dword ptr [ebp - 0x60], 0x646165
            //   7664                 | dec                 eax
            //   8bce                 | lea                 edx, [esp + 0x48]
            //   4863c1               | dec                 eax
            //   488d542434           | mov                 ecx, eax
            //   440fb7440460         | dec                 eax

        $sequence_7 = { 660fabf3 18c3 4883c420 660fb6da 4889c3 }
            // n = 5, score = 100
            //   660fabf3             | dec                 eax
            //   18c3                 | test                eax, eax
            //   4883c420             | je                  0xd
            //   660fb6da             | dec                 eax
            //   4889c3               | mov                 eax, dword ptr [edi]

        $sequence_8 = { d2e5 488b7518 660fa4f109 6689f1 88d5 66b937f3 }
            // n = 6, score = 100
            //   d2e5                 | lea                 ebp, [esp - 0x37]
            //   488b7518             | dec                 eax
            //   660fa4f109           | sub                 esp, 0xd0
            //   6689f1               | dec                 eax
            //   88d5                 | xor                 eax, esp
            //   66b937f3             | dec                 eax

        $sequence_9 = { c7459c72546872 c745a065616400 ff15???????? 488d542448 488bc8 488bd8 }
            // n = 6, score = 100
            //   c7459c72546872       | dec                 esp
            //   c745a065616400       | mov                 eax, edi
            //   ff15????????         |                     
            //   488d542448           | dec                 eax
            //   488bc8               | mov                 dword ptr [esp + 0x20], eax
            //   488bd8               | mov                 dword ptr [ebp - 0x64], 0x72685472

        $sequence_10 = { 488d442458 41b932000000 4c8bc7 4889442420 }
            // n = 4, score = 100
            //   488d442458           | dec                 eax
            //   41b932000000         | lea                 eax, [esp + 0x58]
            //   4c8bc7               | inc                 ecx
            //   4889442420           | mov                 ecx, 0x32

        $sequence_11 = { f6c413 f5 84c0 e9???????? f5 }
            // n = 5, score = 100
            //   f6c413               | dec                 eax
            //   f5                   | sar                 eax, 5
            //   84c0                 | dec                 ecx
            //   e9????????           |                     
            //   f5                   | mov                 ecx, ebp

        $sequence_12 = { 0f878cb40100 f5 69d20a000000 f6c63b f9 }
            // n = 5, score = 100
            //   0f878cb40100         | dec                 eax
            //   f5                   | mov                 esi, esp
            //   69d20a000000         | test                cx, 0x7321
            //   f6c63b               | stc                 
            //   f9                   | shl                 ch, cl

        $sequence_13 = { 7329 4863d1 488d0d40bc0000 488bc2 83e21f 48c1f805 }
            // n = 6, score = 100
            //   7329                 | lea                 ecx, [esp + 0x20]
            //   4863d1               | dec                 eax
            //   488d0d40bc0000       | lea                 edx, [0x39cc]
            //   488bc2               | dec                 eax
            //   83e21f               | mov                 ecx, esi
            //   48c1f805             | dec                 eax

        $sequence_14 = { 66f7d6 6631fe 4889e6 66f7c12173 f9 }
            // n = 5, score = 100
            //   66f7d6               | inc                 ecx
            //   6631fe               | inc                 ebp
            //   4889e6               | cmp                 ecx, eax
            //   66f7c12173           | jle                 0x31
            //   f9                   | dec                 eax

        $sequence_15 = { 6685f5 f6dd 8b8e8c000000 f8 6685fd e9???????? 660fa3c1 }
            // n = 7, score = 100
            //   6685f5               | arpl                cx, dx
            //   f6dd                 | dec                 eax
            //   8b8e8c000000         | lea                 ecx, [0xbc40]
            //   f8                   | dec                 eax
            //   6685fd               | mov                 eax, edx
            //   e9????????           |                     
            //   660fa3c1             | and                 edx, 0x1f

    condition:
        7 of them and filesize < 795648
}

[TLP:WHITE] win_fudmodule_w0 (20241014 | Detects win.fudmodule.)

rule win_fudmodule_w0 {

    meta:
        author = "Jan Vojtesek - Avast Decoded"
        date = "2024-10-14"
        description = "Detects win.fudmodule."
        source = "https://github.com/avast/ioc/tree/master/FudModule#yara"
        reference = "https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20241014"
        malpedia_hash = ""
        malpedia_version = "20241014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s00 = "overwrite pvmode failed. %X"
        $s01 = "%s\\temp\\tem1245.tmp"
        $s02 = "get NTKernelBase and some DriverBase failed."
        $s03 = "ClearVaccineNotifyRoutine failed."
        $s04 = "DisableUserEtwSource (%d/%d) passed."
        $s05 = "ClearVaccineNetworkFilterRoutine skipped."

        $h00 = {65 48 8B 04 25 30 00 00 00 48 8B CB 48 8B 50 60 48 89 13 80 7A 02 01 75 16 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 F0 E9}
        $h01 = {48 C7 81 F0 00 00 00 20 01 00 00 48 C7 81 F8 00 00 00 A0 00 00 00 48 C7 81 08 01 00 00 A0 00 00 00 48 C7 81 18 01 00 00 68 00 00 00 48 C7 81 20 01 00 00 40 00 00 00}
        $h02 = {05 9F B5 FF FF 83 F8 04 0F 87 ?? ?? ?? ?? 48 C7 81 28 01 00 00 80 10 00 00}
        $h03 = {48 A3 08 00 00 80 00 00 00 00 48 8B 43 38 48 8B 4B 60}
        $h04 = {C7 45 ?? 65 72 53 69 C7 45 ?? 6C 6F 4E 61 66 C7 45 ?? 6D 65 C6 45 ?? 00 66 C7 45 ?? 48 8D}
        $h05 = {66 C7 45 ?? 4C 8B C6 45 ?? 3D 66 C7 45 ?? 48 8D C6 45 ?? 05 C7 45 ?? 46 6C 74 45 C7 45 ?? 6E 75 6D 65}
    condition:
        2 of them

}

[TLP:WHITE] win_fudmodule_w1 (20241014 | Detects win.fudmodule.)

rule win_fudmodule_w1 {

    meta:
        author = "Luigino Camastra, GenDigital"
        date = "2024-10-14"
        description = "Detects win.fudmodule."
        source = "https://github.com/avast/ioc/tree/master/FudModule#yara"
        reference = "https://www.gendigital.com/blog/preview/lazarus-fudmodule"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20241014"
        malpedia_hash = ""
        malpedia_version = "20241014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$s00 = "Success." // 0x14001acf0
		$s01 = "remote_exec failed." // 0x14001ad00
		$s02 = "init_env failed." // 0x14001ac90
		$s03 = "GetGodMode failed" // 0x14001acc0
		$s04 = "RemoteDllExecute passed." // 0x14001b268
		$s05 = "CreateRemoteProcess passed." // 0x14001b220
		$s06 = "GetSystemHandle passed." // 0x14001b208
		$s07 = "SuspendDefender skipped." // 0x14001b1b8
		$s08 = "DisableUserEtwSource (%d/%d) passed." // 0x14001b180
		$s09 = "EtwpHostSiloState is Null." // 0x14001b140
		$s10 = "Get EtwpHostSiloState failed." // 0x14001b160
		
		$h00 = { 8A 44 0E ?? 41 32 C4 88 01 B0 0D 48 FF C1 41 F6 }
		$h01 = { 4? 8B DF 4? 8D 47 D0 4? C1 E0 10 4? C1 E3 10 4? }
		$h02 = { B? 05 00 00 00 4? 81 E3 FF FF 0F 00 4? 33 D8 4C }
	condition:
		3 of them

}

Download all Yara Rules

FudModule Propose Change

References

Yara Rules

FudModule