Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell
By Knownsec 404 team
Published: 2024-11-22 · Archived: 2026-04-05 19:16:39 UTC
Author：Knownsec 404 Advanced Threat Intelligence team
date：November 22, 2024
中文版：https://paper.seebug.org/3240
1. Background of the incident
Recently, in the course of daily APT tracking,the Knownsec 404 Advanced Threat Intelligence team discovered an
attack campaign by the APT-K-47 organization using the topic of “Hajj”, and the attackers used a CHM file to
execute a malicious payload in the same directory. The final payload is relatively simple, supporting only the cmd
shell, and is implemented using asynchronous programming, which is very similar to the “Asynshell” that was
used by the organization several times during Our team’s tracking cycle from 2023 to the first half of 2024. Based
on our tracking observations, the previously captured Asynshell has been updated in several versions, and based
on the logic and functionality of the code, we have reason to suspect that this sample is an upgraded version of
Asynshell, which has the following characteristics compared to the previous ones:
1. Hide strings using base64 variant algorithm.
2. Disguised as a normal web service request to place a C2.
3. Remove a lot of log messages.
For ease of subsequent description, the latest sample is noted as Asynshell-v4. The following description will
center on this capture sample and the process by which Our team discovered the change in the Asynshell version.
2. overview
APT-K-47, also known as Mysterious Elephant, was the first APT organization to disclose details of its activities
by tthe Knownsec 404 Advanced Threat Intelligence team [1]. The organization is presumed to have originated in
the South Asian region, and its attack activities date back as far as 2022. In an in-depth analysis of APT-K-47’s
technical approach, tactical strategy, tool usage, and operational goals, multiple other APT organizations in South
Asia can be seen, including but not limited to Sidewinder, Confucius, and Bitter.
3. Sample analysis
The initial sample for this discovery is zip file, which contains an encrypted RAR archive, and “Password.txt”,
which contains the unzipped password, is placed in the same directory. It is worth noting that due to the
encryption of the file, it is not reported by any anti-virus program.
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 1 of 18

Press enter or click to view image in full size
Figure 1 Encrypted Compressed File
The RAR zip file is extracted which contains a chm file and a pe file, where the PE file is set to hidden:
Press enter or click to view image in full size
Figure 2 Decompressed File
The main function of the chm is to display the decoy file and use a shortcut to silently run
“Policy_Formulation_Committee.exe” in the same directory.
The decoy document is mainly about matters related to the religious “hajj”:
Press enter or click to view image in full size
Figure 3 Decoy File
3.1 Analysis Description of Policy_Formulation_Committee.exe
Policy_Formulation_Committee.exe is relatively single-function, through a special algorithm to decrypt the
address disguised as a normal network service request, and connect to the request under the C2 server to complete
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 2 of 18

the cmd shell, the use of this way to be able to flexibly change the connection address to ensure that a long period
of time to control the victim host.
The base64 encoding of the variant is utilized to decrypt the server address masquerading as a web service
request:
Press enter or click to view image in full size
Figure 4 Server Address Disguised as a Network Service Request
The server returns the data as json, and then performs standard base64 decoding on the value corresponding to the
RequestId to get the C2 of the final shell connection.
The cmd shell is implemented by instantiating the class named “MagicFunctions” and calling the
“GraciousMagic” function .The cmd shell uses AES & standard Base64 to decrypt data during the interaction:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 3 of 18

Figure 5 Relevant Code
4. Version Description
The Knownsec 404 Advanced Threat Intelligence team has continuously tracked a number of weapons used by the
APT-K-47 organization after its disclosure, and in the case of Asyncshell, Our team has classified it into four
versions based on the changes in some of the features, as detailed in the table below:
Get Knownsec 404 team’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Table 1 Four Versions of Asyncshell
Press enter or click to view image in full size
The following describes the discovery process and version updates of Asyncshell on a timeline.
4.1 Discover Asyncshell for the first time
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 4 of 18

Our team first discovered Asyncshell back in January 2024, when we found a malicious sample exploiting the
CVE-2023–38831 vulnerability, with the overall attack chain shown below:
Press enter or click to view image in full size
Figure 6 Attack Chain
Attackers used content related to the remuneration of civil servants and temporary civil servants on temporary
leave in the field as bait:
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 5 of 18

Figure 7 Decoy File
The payload uses Async programming to implement shell functionality, so it is named AsyncShell, and for the
convenience of subsequent version descriptions, it is noted as AsyncShell-v1:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 6 of 18

Figure 8 Relevant Code
AsyncShell-v1 supports cmd commands and powershell commands:
Press enter or click to view image in full size
Figure 9 Relevant Code
After analyzing AsyncShell-v1, we associated a sample of the same type from the sample store, the sample code is
very consistent, and the final instructions received only support parsing and execution using powershell:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 7 of 18

Figure 10 Relevant Code
AsyncShell-v1 further topline found multiple samples of the same type, and guessed that the original information
of the file and the time of the invasion have a certain connection, according to the current topline analysis, the first
delivery of this type of attack may be in September 2023, targeting countries and subjects including Pakistan,
Bangladesh, Turkey, etc., which is the same as we previously observed through the Knowledge Creation
Telemetry Big Data of the organization. This is basically consistent with the attack targets of the organization that
we have previously observed through Knowledge Creation’s telemetry big data.
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 8 of 18

Figure 11 Multiple Samples of the Same Type
4.2 Executing Asyncshell with CHM
From the time of entry in the sample store, in March 2024, Our team had discovered APT-K-47’s attack activity
using Asyncshell, which is the first time we found APT-k_47 executing Asyncshell using CHM.
Press enter or click to view image in full size
Figure 12 Executing Asyncshell via CHM
The same type of sample is also included:
Press enter or click to view image in full size
Figure 13 Sample
Press enter or click to view image in full size
Figure 14 Sample
Some of the decoys are listed below:
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 9 of 18

Figure 15 Decoy File
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 10 of 18

Figure 16 Decoy File
4.3 The transition from tcp to https
As time moved on to April 2024, the team discovered a new Asyncshell attack sample from the organization. The
attacker placed the decoy document and the payload in the same directory, and set the payload file name to be the
same as that of the decoy document. When the file extension display was not enabled, the victim was induced to
view the payload as a pdf file and click to execute it:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 11 of 18

Figure 17 Decoy File
After the malicious payload is executed, the last four characters of the file path are removed, and the file pointed
to by the path is executed, that is, the decoy document:
Press enter or click to view image in full size
Figure 18 Decoy File
The main content of the decoy document is the minutes of the PSC meeting:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 12 of 18

Figure 19 Decoy File
Load communication changed from tcp to https, so we noted as Asyncshell-v2.
Press enter or click to view image in full size
Figure 20 Relevant Code
The sample plans to use “file.dat” to return the execution result, but the actual corresponding function is not called
after implementation.
Based on the above information, Our team associated another sample of the same type using the same C2 from the
sample store, part of the decoy is shown below:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 13 of 18

Figure 21 Decoy File
The sample uses a file named “commands.txt” to distribute cmd commands, and the final execution results are
uploaded to the server.
4.4 Decrypt C2 from file
In July 2024, Our team captured the Asyncshell variant, unlike the previous version: the entire attack chain of this
captured sample has been updated and labeled as Asyncshell-v3, as detailed in the figure below:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 14 of 18

Figure 22 Attack Chain
The initial sample is a zip file in the initial directory, the lnk file in the initial directory is used to execute the VBS
script, which creates a scheduled task named “WinNetServiceUpdate”, and the main execution body of the
scheduled task is “cal.exe” (i.e. Asyncshell-v3).
The decoy document is shown below:
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 15 of 18

Figure 23 Decoy File
After cal.exe runs, it will read the “license” in the same directory and decrypt it using AES to get the “ServerIP”
and “ServerPort”:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 16 of 18

Figure 24 Relevant Code
The same type of sample also uses the following decoys:
Figure 25 Decoy File
The final payload is confused with ConfuserEx,read and decrypt “SysConfig.enc”:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 17 of 18

Figure 26 Relevant Code
5. 总结
Based on the above analysis, it can be seen that APT-K-47 has frequently used Asyncshell to launch attack
activities since 2023, and has gradually upgraded the attack chain and payload code. In recent attack activities, this
group has cleverly used disguised service requests to control the final shell server address, changing from the
fixed C2 of previous versions to the variable C2, which shows the importance APT-k-47 organization internal
places on Asyncshell. Since disclosing the details of the organization in 2023, The Knownsec 404 Advanced
Threat Intelligence Team has been closely tracking the organization’s movements. They have conducted in-depth
analysis on the weapons used by the organization, including ORPCBackdoor, walkershell, Asyncshell,
MSMQSPY, and LastopenSpy. We will continue to disclose some of the weapons they have mastered. If you are
interested in the relevant content, you can contact Intel-APT@knownsec.com for communication and discussion.
6. IOC
Hash：
5afa6d4f9d79ab32374f7ec41164a84d2c21a0f00f0b798f7fd40c3dab92d7a8
5488dbae6130ffd0a0840a1cce2b5add22967697c23c924150966eaecebea3c4
c914343ac4fa6395f13a885f4cbf207c4f20ce39415b81fd7cfacd0bea0fe093
7. Reference
https://paper.seebug.org/3000/
Source: https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68
Page 18 of 18