Obfuscation / Packing × Microsoft Windows Defender

A publicly-reported instance of Obfuscation / Packing bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Obfuscation / Packing

MITRE ATT&CK

T1027

Confidence

High

Severity

Medium

Status

poc

Disclosed

2025-10-01

Config / version noted

Not stated

Provenance

www.noahheraud.com
disclosed 2025-10-01 · original source · via exa

Reported as

bypasses static signature-based detection

Mechanism

The attacker encrypts a msfvenom shellcode payload using AES-256-CBC with a randomly generated key and IV. The encrypted payload, key, and IV are embedded in the malware. At runtime, the malware decrypts the shellcode using the Tiny-AES library and executes it via a process injection technique (assumed from the series context). This defeats static AV signatures because the payload is encrypted and only appears in plaintext in memory during execution.

Detection & mitigation

Monitor for processes performing memory allocation with RWX permissions and subsequent execution, especially when originating from unsigned or newly created binaries. Deploy endpoint detection that scans memory for known shellcode patterns or behavioral anomalies post-decryption, and enforce application control to block untrusted executables.

Obfuscation / Packing has also been recorded against

Bitdefender Elastic ESET

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.