The excerpt attributes EPOINT-AES to North Korean state-sponsored activity and describes a multi-stage Windows malware framework recovered from compromised systems. Its attack chain starts with a DLL executed through rundll32, decrypts AES-protected shellcode, runs Donut-generated .NET shellcode, patches AMSI, downloads a PowerShell script, and establishes an in-memory reverse shell. The framework emphasizes evasion through string obfuscation, runtime API resolution, AMSI/WLDP/ETW bypasses, memory-only execution, and post-build binary patching. The provided operational detail includes the export name EPoint, a reverse-shell example using 192.168.1.94:443, and tooling components such as ShellcodeEncrypt2Dll.py, template.cpp, Loader.cs, shell.ps1, and patch.py, making it useful for defenders tracking North Korean Windows intrusion tradecraft.