The Lazarus Group exploited CVE-2024-21338, a zero-day vulnerability in Windows AppLocker’s ‘appid.sys’ driver, to gain kernel privileges and disable security tools, avoiding BYOVD tactics. Avast reported this to Microsoft, leading to a patch. The FudModule rootkit, used by Lazarus, now features enhanced stealth and can disable products like Microsoft Defender and CrowdStrike Falcon.