The report added that the FudModule rootkit has historically been shared between Citrine Sleet and Diamond Sleet (formerly Zinc), another North Korean threat actor known to target media, defense, and information technology (IT) industries globally.

RCE to deliver FudModule

The report explained that victims were directed to a Citrine Sleet-controlled exploit domain voyagorclub[.]space. While the exact method used for directing the victims is unknown, Social Engineering is suspected as it is a common Citrine Sleet technique. Once a target is connected to the domain, the zero-day RCE exploit for CVE-2024-7971 is achieved.

“After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory,” Microsoft added in the report.