Design Intent Exposed: Path Deception in nls_933w.dll

 

Design Intent Exposed: Path Deception in nls_933w.dll
How Equation Group Protects the Embedded Driver Resource from Being Released to Physical Disk Automatically—A Stealth Loading Tactic

 

 

“To understand the immeasurable, the mind must be extraordinarily quiet, still.”
— Jiddu Krishnamurti

 

Seeker(李标明) · @clibm079    

China · Independent Malware Analyst & Researcher 

From 2025.9.7 to 2025.9.16

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Prologue

 

Recently, I didn’t go to the temple frequently but sometimes walked in the park and watched the trees and flowers and felt the air flowing, which, by the way, let me get close to nature to clear my mind.

Figure 1: One day in the mountains.

The last report, “Analysis of Equation Group’s nls_933w.dll Revealing Core Tactics and Technical Mindset,” took me more than 60 days—too much time and energy, so I had to stop and have a rest and make a balance between life and research work, and then I wrote an article called “Safeguarding the Self” and shared real feelings on the “Poems of Malware Analysis,” and the other thing was to improve my homepage and the repository of GitHub, something like that to release the pressure of research.

In this report, I will narrow the scope of my research and focus on one strategic point. I would like to dive deep into the invalid path tactic, guess and verify, and how the equation group did it like that. I will try to change the invalid path to the valid path for the experiment and check the logic and confirm my personal guess. Here we go.

---

Sample choice: nsl_933w.dll

Yeah, it’s still the nation-state group APT called Equation group.

nls_933w.dll 

md5: 11fb08b9126cdb4668b3f5135cf7a6c5

WIN32M.sys

md5: 2b444ac5209a8b4140dd6b747a996653

 

Technical analysis

 

The invalid path deception tactic

Here, let’s jump to the core title “the invalid path,” directly related to the last report. It uses GetSystemDirectoryA to locate the correct directory “c:\windows\system32” but concatenates the invalid strings. Both the constant “Source” and the “Str” design from the .data segment don’t even plan to decode.

Figure 2: invalid path from concatenating the constant “Source” and the “Str”.

In fact, it was the first time that I had generated an idea of what would happen if they were valid paths, but I just paused not to make them more complex. And weeks passed and the heavy pressure was released, so I think it’s time to verify the guess.

Guess and experimental testing

The first thing to do is change the value of memory directly and then debug with a single step forward.

Figure 3: Change the value of memory to a valid path.

 

I debugged step by step, and it returned the value of EAX as 1.

Figure 4: the process of debugging.

 

The driver WIN32M.sys was successfully released to disk

And then the embedded driver WIN32M.sys in nls_933w.dll was released to the physical disk. The size of the file and the hash of the file are right.

Figure 5: the embedded driver WIN32M.sys in nsl_933w.dll released to the physical disk.

 

Manually modify the nls_933w.dll file, check the logic, and confirm

So from there I thought I should change both constant values in nsl_933w.dll. Yeah, as mentioned above, as follows.

Figure 6: the constant about Source and Str.

 

I tried several times to make it work well, an example as follows.

Figure 7: edited the hex value with HxD Hex Editor and saved it.

 

And the condition of memory was as follows: finally, it successfully released the embedded driver WIN32.sys in nls_933w.dll to physical disk again, like the above Figure-4 shown.

Figure 8: the condition of memory after changing both constants.

 

The path constants changed ≠ driver released

Does it work well after changing path constants and releasing the embedded driver WIN32M.sys in nls_933w.dll to the physical disk automatically?

 

To be honest, “no!” I had to change the logic of the control flow to debug. It should be loaded manually the right way, which is key, but until now I haven’t understood it completely. It is the deception path; it is a smart policy to evade automatic driver file release to disk. In order to implant the malware and run correctly, it needs to know how to load, which is the real intent of the designer. Here there are two things we need to know.

1.      Change the path constant value.

2.      Loading it the right way manually.

 

So from the above analysis and observation, we know equation group design with two layers or multiple layers protects their critical weapon from being loaded.

 

 

Conclusion

In my opinion, the invalid path design is a deception and protection policy to avoid loading automatically to a physical disk; it is a smart and ingenious way to evade anti-analysis and anti-virus. They protect their critical weapon for both sides; one side is anti-analyst, and the other side is anti-machine. The intent implies that the equation group design is very strict and requires a mature mindset and practice. It’s also a serious systematic engineering design.

 

Honestly, I’m documenting what I see—knowing the unseen is vast.
Analysis WIP: still piecing together the full picture.

 

 

Epilogue: What the Firmware Research Taught Me

1.      The background of the elite state-level APT implies they have the best resources, like the top software designer, the best developer, and the elite reverse expert, and so on, to face an adversary like that; too much challenge happens naturally in front of us as analysts or researchers.

2.      In fact, in my opinion, they are not fighting against commercial products but rather taking paths beyond the market's imagination, thereby delaying the possibility of being discovered. In a word, far ahead.

3.      Respect your opponents, maintain curiosity, and continue to explore and practice. In my opinion, profound and systematic theories are equally important, not just emphasizing practical capabilities, especially in the face of the top elite state-level APT, "Only depth reveals intent."

Annotation: In all the sentences I wrote and used the word “you or your or yourself” in, it talked to me or “the malware sample itself, especially in my poem I did”, not the reader. I must clarify my motivation.

---

“Do or do not, there is no try.”
— Master Yoda

 

End of Report

──────────────────────

Seeker(李标明) · @clibm079    

China · Independent Malware Analyst & Researcher