Microsoft has revealed that a North Korean hacking group known as Diamond Sleet (aka ZINC, Labyrinth Chollima, and Lazarus) has executed a supply chain attack by breaching Taiwanese multimedia software company CyberLink. The hackers trojanized one of CyberLink's installers, distributing malware through the company's update infrastructure. Microsoft detected the altered installer on over 100 devices globally, including in Japan, Taiwan, Canada, and the United States. Diamond Sleet utilized a legitimate code signing certificate issued to CyberLink to sign the malicious executable, leading Microsoft to add the certificate to its disallowed list. The trojanized software, named LambLoad, is a downloader and loader targeting systems without FireEye, CrowdStrike, or Tanium security software. If unprotected, LambLoad connects with command-and-control servers to retrieve a second-stage payload concealed within a file masquerading as a PNG file. Although no hands-on-keyboard activity has been observed, Diamond Sleet is known for stealing data, infiltrating software build environments, progressing to exploit further victims, and establishing persistent access. Microsoft has informed CyberLink, notified affected Microsoft Defender for Endpoint customers, and reported the attack to GitHub, resulting in the removal of the second-stage payload.