The notorious North Korean hacking group Lazarus has been caught exploiting a zero-day vulnerability in Windows. This critical security flaw, identified as CVE-2024-38193, affects the Ancillary Function Driver for WinSock (AFD.sys) and was actively used in attacks before Microsoft patched it in August 2024. The U.S. Cybersecurity and Infrastructure Security Agency has issued advisories on Lazarus Group activity related to this and similar campaigns.
Understanding the Vulnerability
CVE-2024-38193 is a BYOVD (Bring Your Own Vulnerable Driver) class vulnerability. The AFD.sys driver serves as the entry point to the Windows kernel for the Winsock protocol. What makes this flaw particularly dangerous is that AFD.sys is installed by default on all Windows devices, eliminating the need for attackers to introduce their own vulnerable driver — a technique that would otherwise trigger modern endpoint detection systems.
The Lazarus Group’s Exploitation Technique
According to researchers at Gen Digital (formerly Symantec), the Lazarus Group used CVE-2024-38193 to install a rootkit called FUDModule. This malware disables Windows monitoring functions — including ETW (Event Tracing for Windows) and kernel callbacks — giving attackers deep persistence and effective evasion of security products running on compromised systems.
Attack Campaign Targeting Cryptocurrency Professionals
The vulnerability was exploited as part of a broader campaign targeting cryptocurrency experts, previously identified by Google’s Threat Analysis Group (TAG) and attributed to a Lazarus sub-group known as PUKCHONG (UNC4899). The attack chain followed a deliberate social engineering sequence:
- Initial contact via professional social media platforms (LinkedIn, X)
- A seemingly harmless PDF with a job description from a well-known cryptocurrency firm
- A follow-up PDF with a skills assessment questionnaire to build trust
- Instructions directing victims to download and run a GitHub project
- The GitHub project contains a Python trojan that harvests cryptocurrency-related data and connects to attacker-controlled domains
Organizations Using Chromium-Based Browsers Targeted by Lazarus Group
All Windows systems running versions prior to the August 2025 Patch Tuesday release are potentially vulnerable to CVE-2024-38193. High-risk targets include cryptocurrency industry professionals, financial services employees, and organizations with access to digital asset custody or exchange systems. The attack does not require administrator privileges, making it exploitable against standard user accounts when AFD.sys is present.
Protecting Chromium-Based Browsers Against Lazarus Group Zero-Day Exploits
- Apply the patch immediately: Install the August 2024 cumulative Windows update that addresses CVE-2024-38193. Verify patch status via the Microsoft Security Update Guide.
- Deploy EDR with kernel-level visibility: Use endpoint detection and response solutions capable of detecting suspicious driver load activity and kernel callback manipulation.
- Block untrusted driver loading: Enable Windows Defender Application Control (WDAC) or HVCI (Hypervisor-Protected Code Integrity) to restrict unauthorized kernel-mode code execution.
- Train staff on job-offer phishing: Educate employees — especially those in finance and cryptocurrency roles — to verify job opportunity contacts through official channels before opening attachments or running code.
- Monitor for FUDModule indicators: Check threat intelligence feeds for known FUDModule hashes and C2 domains associated with this Lazarus campaign.