Inside The Shellcode Dissecting North Korean Apt43s Advanced Powershell Loader

2025-11-12 Bloo

https://bloo.io/blog/inside-the-shellcode-dissecting-north-korean-apt43s-advanced-powershell-loader

Thumbnail for Inside The Shellcode Dissecting North Korean Apt43s Advanced Powershell Loader

The excerpt analyzes a PowerShell loader named shell.ps1 recovered from North Korean APT infrastructure and linked in the text to Kimsuky/APT43. The script uses multi-layer base64 encoding to dynamically compile C# with P/Invoke access to Windows APIs such as VirtualProtect, LoadLibrary, GetProcAddress, malloc, memset, and CreateThread. Its execution flow allocates memory, marks regions executable, builds a randomized NOP sled, transforms and writes shellcode bytes, resolves APIs with obfuscated names, and launches code via thread creation. The analysis matters because it documents authentic tooling with layered obfuscation, in-memory execution, and API-level evasion techniques used to bypass PowerShell monitoring and Windows memory protections.

Related Actors

Related Reports

2025-02-12 • 60% Match
#APT43 #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tag: APT43
« Back