Reflective Code Loading × Microsoft Windows Defender

A publicly-reported instance of Reflective Code Loading bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Reflective Code Loading

MITRE ATT&CK

T1620

Confidence

High

Severity

High

Status

poc

Disclosed

2026-03-29

Config / version noted

Not stated

Provenance

medium.com
disclosed 2026-03-29 · original source · via brave

Reported as

bypassing Windows Defender by loading a PE file directly from memory using a Rust-based loader, avoiding disk writes

Mechanism

A Rust PELoader loads a PE file entirely in memory without writing to disk, evading Windows Defender's file-based scanning. The loader manually maps the PE, resolves imports, and executes it, defeating detection that relies on on-disk artifacts.

Detection & mitigation

Monitor for suspicious process memory operations such as VirtualAlloc with PAGE_EXECUTE_READWRITE permissions followed by thread creation, or use of NtCreateThreadEx from non-standard modules. Deploy endpoint detection and response (EDR) with memory scanning capabilities and enable Windows Defender's behavior monitoring and cloud-delivered protection to detect in-memory threats.

Reflective Code Loading has also been recorded against

Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.