Got a little nerd sniped by the last slide of the "APT Down" talk at #39c3 and looked at that payload.bin file. It's x86_64 shellcode, and that string that was mentioned is an API function name that gets decrypted in a basic decoder loop. Hunting for related files with that bytecode pattern leads to samples uploaded to VirusTotal from KR, CN, TW, HK, VN. This indicates a broader East-Asian focus. Context: https://phrack.org/issues/72/7_md