North Korean state-backed hackers are distributing a malicious version of a legitimate application developed by CyberLink, a Taiwanese software maker, to target downstream customers.
Microsoft’s Threat Intelligence team said on Wednesday North Korean hackers had compromised CyberLink to distribute a modified installer file from the company as part of a wide-reaching supply-chain attack.
CyberLink is a software company headquartered in Taiwan that develops multimedia software, such as PowerDVD, and AI facial recognition technology. According to the company’s website, CyberLink owns over 200 patented technologies and has shipped more than 400 million apps worldwide.
CyberLink spokesperson Melinda Ziemer told TechCrunch that the organization identified a “malware issue” in the installation file for one of its apps, a video editing program called Promeo, on November 11. “Upon discovery, our dedicated cybersecurity team immediately removed the bug and additional security measures were put in place to prevent this from happening again in the future,” Ziemer said, noting that none of the company’s other applications are impacted.
Microsoft said it observed suspicious activity associated with the modified CyberLink installer, tracked by the company as “LambLoad,” as early as October 20, 2023. It has so far detected the trojanized installer on more than 100 devices in multiple countries, including Japan, Taiwan, Canada and the United States.
The file is hosted on legitimate update infrastructure owned by CyberLink, according to Microsoft, and the attackers used a legitimate code signing certificate issued to CyberLink to sign the malicious executable, according to Microsoft. “This certificate has been added to Microsoft’s disallowed certificate list to protect customers from future malicious use of the certificate,” said Microsoft’s Threat Intelligence team.
The company noted that a second-phase payload observed in this campaign interacts with infrastructure previously compromised by the same group of threat actors.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Microsoft has attributed this attack with “high confidence” to a group it tracks as Diamond Sleet, a North Korean nation-state actor linked to the notorious Lazarus hacking group. This group has been observed targeting organizations in information technology, defense and media. And it focuses predominantly on espionage, financial gain and corporate network destruction, according to Microsoft.
Microsoft said it has yet to detect hands-on keyboard activity but noted that Diamond Sleet attackers commonly steal data from compromised systems, infiltrate software build environments, progress downstream to exploit further victims and attempt to gain persistent access to victims’ environments.
Microsoft said it notified CyberLink of the supply-chain compromise but did not say whether it had received a response or whether CyberLink had taken any action in light of the company’s findings. The company is also notifying Microsoft Defender for Endpoint customers who were affected by the attack.
UPDATE, Nov. 29, 11:00 a.m. ET: This article has been updated with comment from CyberLink.
