Obfuscation / Packing × Microsoft Windows Defender

A publicly-reported instance of Obfuscation / Packing bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Obfuscation / Packing

MITRE ATT&CK

T1027

Confidence

High

Severity

High

Status

poc

Disclosed

2025-12-02

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-12-02 · original source · via exa

Reported as

bypassing Windows Defender real-time protection by embedding a Meterpreter reverse shell payload inside a JPG file

Mechanism

The Meterpreter payload is hidden within a JPG image file using steganography. When the image is opened, it displays normally as a decoy, while the payload executes in the background, establishing a reverse TCP connection to the attacker's Metasploit handler. This evades Windows Defender's real-time, cloud-delivered, and tamper protections without requiring any exclusions.

Detection & mitigation

Monitor for unexpected network connections from image-viewing applications (e.g., Windows Photo Viewer, Paint) using process-level network telemetry (Sysmon Event ID 3) and look for anomalous child processes spawning from these applications. Mitigate by enforcing application control policies and restricting outbound connections from non-essential processes.

Obfuscation / Packing has also been recorded against

Bitdefender Elastic ESET

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.