Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-06 00:54:28 UTC
Home > List all groups > List all tools > List all groups using tool FudModule
 Tool: FudModule
Names FudModule
Category Malware
Type Rootkit
Description
(Avast) The entire goal of the admin-to-kernel exploit was to corrupt the current thread’s
PreviousMode. This allows for a powerful kernel read/write primitive, where the affected user-mode thread can read and write arbitrary kernel memory using the
Nt(Read|Write)VirtualMemory syscalls. Armed with this primitive, the FudModule rootkit
employs direct kernel object manipulation (DKOM) techniques to disrupt various kernel
security mechanisms. It’s worth reiterating that FudModule is a data-only rootkit, meaning it
executes entirely from user space and all the kernel tampering is performed through the
read/write primitive.
Information
Malpedia Last change to this tool card: 07 March 2024
Download this tool card in JSON format
All groups using tool FudModule
Changed Name Country Observed
APT groups
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=743359c4-0623-4c9a-b969-f318cb3aaa66
Page 1 of 2

Lazarus Group, Hidden Cobra, Labyrinth Chollima 2007-May 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=743359c4-0623-4c9a-b969-f318cb3aaa66
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=743359c4-0623-4c9a-b969-f318cb3aaa66
Page 2 of 2