New North Korean supply chain attack spreads via malicious CyberLink app

New North Korean supply chain attack spreads via malicious CyberLink app

A new supply chain attack was discovered that leverages a malicious variant of a popular photo and video editing application developed by Taiwanese software company CyberLink.

Microsoft’s threat intelligence team has attributed the campaign to a North Korean threat actor they track as Diamond Fleet (previously Zinc). The group focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. Diamond Sleet has been observed targeting media, defense, and information technology (IT) industries worldwide. Its weapons arsenal includes a variety of exclusive custom malware, as well as open-source software and N-day exploits. Diamond Sleet overlaps with activity tracked by other security companies as Temp.Hermit and Labyrinth Chollima.

The most recent Diamond Sleet’s campaign first spotted in late October involves a modified legitimate CyberLink application installer signed using a valid CyberLink certificate with malicious code that delivers a second-stage payload. The malicious app is tracked by Microsoft as LambLoad.

The file is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.

According to Microsoft, the campaign has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the US. The threat research team said they have yet to identify what exactly the attackers did after a system was compromised but in their previous campaigns the group was seen exfiltrating sensitive data from victim environments, compromising software build environments, moving downstream to additional victims for further exploitation, using techniques to establish persistent access to victim environments.

Before launching any malicious code, LambLoad ensures that the date and time of the local host align with a preconfigured execution period. It then checks if the targeted environment is using security software affiliated with FireEye, CrowdStrike, or Tanium. If it finds processes associated with these products it continues running the CyberLink app without execution of malicious code. Otherwise, LambLoad attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer.’

Microsoft said it has informed CyberLink of its findings and alerted customers who have been targeted or compromised in the campaign. The tech giant has also reported the CyberLink issue to GitHub, which removed the offending app from its platform.


Back to the list

Latest Posts

Cyber Security Week in Review: June 13, 2025

Cyber Security Week in Review: June 13, 2025

In brief: Microsoft fixes zero-day exploited by the Stealth Falcon APT, the Graphite spyware targets journalists via an iMessage exploit, and more.
13 June 2025
Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
12 June 2025
ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025