CloudEyE, an evolved version of DarkEyE, allows threat actors to use different types of malware of their choice and make it undetectable to anti-virus solutions. This program is being sold by legitimate Italian company which markets it as a tool for developers that want to protect their program from piracy and reverse engineering. The tutorials published and forum posts about …

DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL.

When a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts …

Avoiding Memory Scanners is a technique that enables malware creators to bypass the detection of endpoint security software and reverse engineers by using memory scanning to locate shellcode and malware in Windows memory.

The technique involves understanding how memory scanners work and implementing a stable evasion method for each of the memory scanning tools, such as PE-sieve, MalMemDetect, Moneta, …

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, …

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable …