A recent cybersecurity incident involving a North Korean state-sponsored group known as Diamond Sleet has emerged as a significant threat to businesses. This group has been distributing a compromised version of a legitimate application developed by the Taiwanese company CyberLink, leveraging a supply chain attack to target downstream customers.
According to the Microsoft Threat Intelligence team, the malicious installer masquerades as a genuine CyberLink application, but it has been altered to embed harmful code that downloads, decrypts, and executes a second-stage payload. This compromised installer is hosted on CyberLink’s update infrastructure, complete with mechanisms designed to obscure its operation and evade detection by security tools.
The campaign appears to have affected more than 100 devices across regions including Japan, Taiwan, Canada, and the United States. Suspicious activity linked to the modified installer was first identified on October 20, 2023. The attack’s sophistication suggests advanced planning by the adversaries, given their use of a legitimate but compromised domain to retrieve further payloads.
In tracing this threat back to North Korea, security experts noted that the infrastructure for the second-stage payload was seen connecting to previously breached command-and-control servers associated with Diamond Sleet. Microsoft’s observations indicate that this group often employs trojanized software—both open-source and proprietary—to compromise organizations within the information technology, defense, and media sectors.
Diamond Sleet operates under the Lazarus Group banner, a threat entity with a presence dating back to at least 2013. This group’s operations are primarily aimed at gathering strategic intelligence that benefits North Korea’s geopolitical objectives, targeting institutions across government, defense, telecommunications, and financial sectors globally. Microsoft reported no evidence of manual exploitation activities following the deployment of the compromised installer, which has been codenamed LambLoad.
The downloader is engineered to assess the target environment for specific security solutions—namely those from CrowdStrike, FireEye, and Tanium—and if not detected, it retrieves additional malware disguised as a PNG file. This file contains an embedded payload that is injected and executed directly in memory, enhancing its concealment from security measures.
The details of this incident surfaced shortly after Palo Alto Networks’ Unit 42 disclosed parallel campaigns by North Korean hackers, who were using fake job interviews to distribute malware and secure unauthorized access to various organizations in the U.S. and beyond. Recently, Microsoft also linked Diamond Sleet to an exploit of a critical vulnerability in JetBrains TeamCity, further demonstrating their opportunistic approach to attack vectors.
The increase in software supply chain attacks perpetrated by North Korean actors—evident through incidents involving 3CX, MagicLine4NX, and others—has prompted cybersecurity advisories from South Korea and the U.K. These advisories underscore the elevated risk and urge organizations to implement robust security practices to mitigate such threats. Authorities have emphasized that these attacks align with North Korea’s strategic objectives of generating revenue, conducting espionage, and acquiring advanced technologies.
Update
After inquiries were made by The Hacker News, CyberLink confirmed that on November 22, 2023, they identified a malware issue in the installation file for their Promeo program. The cybersecurity team promptly remediated the issue and implemented enhanced security measures to prevent recurrences. They also conducted comprehensive security inspections across all their products, assuring that none were impacted by the attack.
