{ "id": "2531c4af-d9fb-43b4-b9eb-a92bf4097aac", "created_at": "2026-04-06T00:17:15.609219Z", "updated_at": "2026-04-10T03:37:20.326058Z", "deleted_at": null, "sha1_hash": "75cc8bd3322415589db38c2edaaa5633fa7820c5", "title": "Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4254859, "plain_text": "Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell\r\nBy Knownsec 404 team\r\nPublished: 2024-11-22 · Archived: 2026-04-05 19:16:39 UTC\r\nAuthor:Knownsec 404 Advanced Threat Intelligence team\r\ndate:November 22, 2024\r\n中文版:https://paper.seebug.org/3240\r\n1. Background of the incident\r\nRecently, in the course of daily APT tracking,the Knownsec 404 Advanced Threat Intelligence team discovered an\r\nattack campaign by the APT-K-47 organization using the topic of “Hajj”, and the attackers used a CHM file to\r\nexecute a malicious payload in the same directory. The final payload is relatively simple, supporting only the cmd\r\nshell, and is implemented using asynchronous programming, which is very similar to the “Asynshell” that was\r\nused by the organization several times during Our team’s tracking cycle from 2023 to the first half of 2024. Based\r\non our tracking observations, the previously captured Asynshell has been updated in several versions, and based\r\non the logic and functionality of the code, we have reason to suspect that this sample is an upgraded version of\r\nAsynshell, which has the following characteristics compared to the previous ones:\r\n1. Hide strings using base64 variant algorithm.\r\n2. Disguised as a normal web service request to place a C2.\r\n3. Remove a lot of log messages.\r\nFor ease of subsequent description, the latest sample is noted as Asynshell-v4. The following description will\r\ncenter on this capture sample and the process by which Our team discovered the change in the Asynshell version.\r\n2. overview\r\nAPT-K-47, also known as Mysterious Elephant, was the first APT organization to disclose details of its activities\r\nby tthe Knownsec 404 Advanced Threat Intelligence team [1]. The organization is presumed to have originated in\r\nthe South Asian region, and its attack activities date back as far as 2022. In an in-depth analysis of APT-K-47’s\r\ntechnical approach, tactical strategy, tool usage, and operational goals, multiple other APT organizations in South\r\nAsia can be seen, including but not limited to Sidewinder, Confucius, and Bitter.\r\n3. Sample analysis\r\nThe initial sample for this discovery is zip file, which contains an encrypted RAR archive, and “Password.txt”,\r\nwhich contains the unzipped password, is placed in the same directory. It is worth noting that due to the\r\nencryption of the file, it is not reported by any anti-virus program.\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 1 of 18\n\nPress enter or click to view image in full size\r\nFigure 1 Encrypted Compressed File\r\nThe RAR zip file is extracted which contains a chm file and a pe file, where the PE file is set to hidden:\r\nPress enter or click to view image in full size\r\nFigure 2 Decompressed File\r\nThe main function of the chm is to display the decoy file and use a shortcut to silently run\r\n“Policy_Formulation_Committee.exe” in the same directory.\r\nThe decoy document is mainly about matters related to the religious “hajj”:\r\nPress enter or click to view image in full size\r\nFigure 3 Decoy File\r\n3.1 Analysis Description of Policy_Formulation_Committee.exe\r\nPolicy_Formulation_Committee.exe is relatively single-function, through a special algorithm to decrypt the\r\naddress disguised as a normal network service request, and connect to the request under the C2 server to complete\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 2 of 18\n\nthe cmd shell, the use of this way to be able to flexibly change the connection address to ensure that a long period\r\nof time to control the victim host.\r\nThe base64 encoding of the variant is utilized to decrypt the server address masquerading as a web service\r\nrequest:\r\nPress enter or click to view image in full size\r\nFigure 4 Server Address Disguised as a Network Service Request\r\nThe server returns the data as json, and then performs standard base64 decoding on the value corresponding to the\r\nRequestId to get the C2 of the final shell connection.\r\nThe cmd shell is implemented by instantiating the class named “MagicFunctions” and calling the\r\n“GraciousMagic” function .The cmd shell uses AES \u0026 standard Base64 to decrypt data during the interaction:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 3 of 18\n\nFigure 5 Relevant Code\r\n4. Version Description\r\nThe Knownsec 404 Advanced Threat Intelligence team has continuously tracked a number of weapons used by the\r\nAPT-K-47 organization after its disclosure, and in the case of Asyncshell, Our team has classified it into four\r\nversions based on the changes in some of the features, as detailed in the table below:\r\nGet Knownsec 404 team’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nTable 1 Four Versions of Asyncshell\r\nPress enter or click to view image in full size\r\nThe following describes the discovery process and version updates of Asyncshell on a timeline.\r\n4.1 Discover Asyncshell for the first time\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 4 of 18\n\nOur team first discovered Asyncshell back in January 2024, when we found a malicious sample exploiting the\r\nCVE-2023–38831 vulnerability, with the overall attack chain shown below:\r\nPress enter or click to view image in full size\r\nFigure 6 Attack Chain\r\nAttackers used content related to the remuneration of civil servants and temporary civil servants on temporary\r\nleave in the field as bait:\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 5 of 18\n\nFigure 7 Decoy File\r\nThe payload uses Async programming to implement shell functionality, so it is named AsyncShell, and for the\r\nconvenience of subsequent version descriptions, it is noted as AsyncShell-v1:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 6 of 18\n\nFigure 8 Relevant Code\r\nAsyncShell-v1 supports cmd commands and powershell commands:\r\nPress enter or click to view image in full size\r\nFigure 9 Relevant Code\r\nAfter analyzing AsyncShell-v1, we associated a sample of the same type from the sample store, the sample code is\r\nvery consistent, and the final instructions received only support parsing and execution using powershell:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 7 of 18\n\nFigure 10 Relevant Code\r\nAsyncShell-v1 further topline found multiple samples of the same type, and guessed that the original information\r\nof the file and the time of the invasion have a certain connection, according to the current topline analysis, the first\r\ndelivery of this type of attack may be in September 2023, targeting countries and subjects including Pakistan,\r\nBangladesh, Turkey, etc., which is the same as we previously observed through the Knowledge Creation\r\nTelemetry Big Data of the organization. This is basically consistent with the attack targets of the organization that\r\nwe have previously observed through Knowledge Creation’s telemetry big data.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 8 of 18\n\nFigure 11 Multiple Samples of the Same Type\r\n4.2 Executing Asyncshell with CHM\r\nFrom the time of entry in the sample store, in March 2024, Our team had discovered APT-K-47’s attack activity\r\nusing Asyncshell, which is the first time we found APT-k_47 executing Asyncshell using CHM.\r\nPress enter or click to view image in full size\r\nFigure 12 Executing Asyncshell via CHM\r\nThe same type of sample is also included:\r\nPress enter or click to view image in full size\r\nFigure 13 Sample\r\nPress enter or click to view image in full size\r\nFigure 14 Sample\r\nSome of the decoys are listed below:\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 9 of 18\n\nFigure 15 Decoy File\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 10 of 18\n\nFigure 16 Decoy File\r\n4.3 The transition from tcp to https\r\nAs time moved on to April 2024, the team discovered a new Asyncshell attack sample from the organization. The\r\nattacker placed the decoy document and the payload in the same directory, and set the payload file name to be the\r\nsame as that of the decoy document. When the file extension display was not enabled, the victim was induced to\r\nview the payload as a pdf file and click to execute it:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 11 of 18\n\nFigure 17 Decoy File\r\nAfter the malicious payload is executed, the last four characters of the file path are removed, and the file pointed\r\nto by the path is executed, that is, the decoy document:\r\nPress enter or click to view image in full size\r\nFigure 18 Decoy File\r\nThe main content of the decoy document is the minutes of the PSC meeting:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 12 of 18\n\nFigure 19 Decoy File\r\nLoad communication changed from tcp to https, so we noted as Asyncshell-v2.\r\nPress enter or click to view image in full size\r\nFigure 20 Relevant Code\r\nThe sample plans to use “file.dat” to return the execution result, but the actual corresponding function is not called\r\nafter implementation.\r\nBased on the above information, Our team associated another sample of the same type using the same C2 from the\r\nsample store, part of the decoy is shown below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 13 of 18\n\nFigure 21 Decoy File\r\nThe sample uses a file named “commands.txt” to distribute cmd commands, and the final execution results are\r\nuploaded to the server.\r\n4.4 Decrypt C2 from file\r\nIn July 2024, Our team captured the Asyncshell variant, unlike the previous version: the entire attack chain of this\r\ncaptured sample has been updated and labeled as Asyncshell-v3, as detailed in the figure below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 14 of 18\n\nFigure 22 Attack Chain\r\nThe initial sample is a zip file in the initial directory, the lnk file in the initial directory is used to execute the VBS\r\nscript, which creates a scheduled task named “WinNetServiceUpdate”, and the main execution body of the\r\nscheduled task is “cal.exe” (i.e. Asyncshell-v3).\r\nThe decoy document is shown below:\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 15 of 18\n\nFigure 23 Decoy File\r\nAfter cal.exe runs, it will read the “license” in the same directory and decrypt it using AES to get the “ServerIP”\r\nand “ServerPort”:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 16 of 18\n\nFigure 24 Relevant Code\r\nThe same type of sample also uses the following decoys:\r\nFigure 25 Decoy File\r\nThe final payload is confused with ConfuserEx,read and decrypt “SysConfig.enc”:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 17 of 18\n\nFigure 26 Relevant Code\r\n5. 总结\r\nBased on the above analysis, it can be seen that APT-K-47 has frequently used Asyncshell to launch attack\r\nactivities since 2023, and has gradually upgraded the attack chain and payload code. In recent attack activities, this\r\ngroup has cleverly used disguised service requests to control the final shell server address, changing from the\r\nfixed C2 of previous versions to the variable C2, which shows the importance APT-k-47 organization internal\r\nplaces on Asyncshell. Since disclosing the details of the organization in 2023, The Knownsec 404 Advanced\r\nThreat Intelligence Team has been closely tracking the organization’s movements. They have conducted in-depth\r\nanalysis on the weapons used by the organization, including ORPCBackdoor, walkershell, Asyncshell,\r\nMSMQSPY, and LastopenSpy. We will continue to disclose some of the weapons they have mastered. If you are\r\ninterested in the relevant content, you can contact Intel-APT@knownsec.com for communication and discussion.\r\n6. IOC\r\nHash:\r\n5afa6d4f9d79ab32374f7ec41164a84d2c21a0f00f0b798f7fd40c3dab92d7a8\r\n5488dbae6130ffd0a0840a1cce2b5add22967697c23c924150966eaecebea3c4\r\nc914343ac4fa6395f13a885f4cbf207c4f20ce39415b81fd7cfacd0bea0fe093\r\n7. Reference\r\nhttps://paper.seebug.org/3000/\r\nSource: https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nhttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68" ], "report_names": [ "unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5339d7c-473e-4b49-b44c-189b4f72b585", "created_at": "2024-12-28T02:01:54.8259Z", "updated_at": "2026-04-10T02:00:04.778045Z", "deleted_at": null, "main_name": "Mysterious Elephant", "aliases": [ "APT-K-47" ], "source_name": "ETDA:Mysterious Elephant", "tools": [ "ORPCBackdoor" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434635, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/75cc8bd3322415589db38c2edaaa5633fa7820c5.pdf", "text": "https://archive.orkl.eu/75cc8bd3322415589db38c2edaaa5633fa7820c5.txt", "img": "https://archive.orkl.eu/75cc8bd3322415589db38c2edaaa5633fa7820c5.jpg" } }