{"id":12036,"date":"2025-03-11T14:00:28","date_gmt":"2025-03-11T14:00:28","guid":{"rendered":"\/cybersecurity-blog\/?p=12036"},"modified":"2025-03-19T06:51:02","modified_gmt":"2025-03-19T06:51:02","slug":"five-common-malware-evasion-techniques","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/","title":{"rendered":"5 Common Evasion Techniques in Malware\u00a0"},"content":{"rendered":"\n<p>Cybercriminals are constantly refining their methods to stay one step ahead of security defenses. One of their key tactics is evasion, a set of techniques designed to hide malicious activity, bypass detection, and make investigations much more difficult for security teams.&nbsp;<\/p>\n\n\n\n<p>Over time, attackers have developed countless evasion techniques, and they continue to evolve as cybersecurity measures improve. Some methods exploit trusted system processes, while others rely on cleverly disguising malicious code to slip past defenses unnoticed.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s take a closer look at some of the most commonly used evasion techniques and see how they play out in real-world scenarios inside <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noreferrer noopener\">our secure sandbox<\/a>, helping businesses detect threats faster, strengthen defenses, and minimize security risks before they cause damage.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What You Should Know About Evasion Techniques&nbsp;<\/h2>\n\n\n\n<p>When you&#8217;re defending your company&#8217;s network, one of the trickiest things you&#8217;ll face is attackers using evasion techniques. These are deliberately designed to stay under your radar, hiding malware and suspicious activity from detection tools and making incident response even tougher.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">Cybercriminals use evasion techniques to:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Avoid detection by security tools and analysts.<\/li>\n      <li>Extend dwell time inside compromised networks.<\/li>\n      <li>Increase the success rate of malware delivery.<\/li>\n<li>Make investigations more challenging for security teams.<\/li>\n<li>Reduce the risk of their operations being uncovered.<\/li>\n<li>Enhance persistence and maintain long-term access to systems.<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<p>Knowing how these evasion tactics work can help your security team spot threats sooner, respond faster, and avoid major disruptions to your business.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Attackers Stay Hidden: Key Evasion Techniques&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s have a look at some of the most commonly used evasion techniques and how they work in real-world attacks:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. T1027.003: Steganography&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">Steganography<\/a> is a sneaky way cybercriminals hide malicious data right inside harmless-looking images. Unlike encryption, which openly scrambles data to make it unreadable, steganography is all about staying invisible.&nbsp;<\/p>\n\n\n\n<p>With this technique, attackers embed malware inside the images you&#8217;d never suspect. Because the hidden code blends seamlessly into regular files, traditional security software rarely spots it. That\u2019s exactly why steganography has become such a popular and dangerous method attackers use to quietly slip past your defenses.&nbsp;<\/p>\n\n\n\n<p>By analyzing suspicious files in <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s interactive sandbox<\/a>, you can quickly uncover hidden threats and figure out exactly what techniques attackers are using.&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s dive into a real-world example, and see step-by-step how to spot steganography quickly and easily without breaking a sweat.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/068db7e4-6ff2-439a-bee8-06efa7abfabc\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1024x585.png\" alt=\"\" class=\"wp-image-12064\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1024x585.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-1536x878.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-2048x1170.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/1-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Steganography campaign starting with a phishing PDF<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In this analysis session, attackers used a phishing PDF to trick users into downloading a malicious registry file. &nbsp;<\/p>\n\n\n\n<p>Once executed, the file added a hidden script to the system registry, automatically launching on reboot.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"714\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-1024x714.png\" alt=\"\" class=\"wp-image-12065\" style=\"width:600px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-1024x714.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-300x209.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-768x535.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-370x258.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-270x188.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2-740x516.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/2.png 1420w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Autorun value change in the registry detected by ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Once the system restarts, a registry entry quietly triggers PowerShell to download a VBS script from a remote server. In ANY.RUN\u2019s sandbox, you can easily track this action by inspecting the PowerShell process from the right side of the screen.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-1024x587.png\" alt=\"\" class=\"wp-image-12066\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-1536x880.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-2048x1173.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/3-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Powershell.exe downloading a VBS file inside a secure environment<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, the downloaded script fetches a regular-looking image file, which secretly contains a hidden DLL payload. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"623\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-1024x623.png\" alt=\"\" class=\"wp-image-12067\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-1024x623.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-1536x934.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-2048x1246.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/4-740x450.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image with malicious DLL payload detected by ANY.RUN<\/em> &nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>With ANY.RUN, you can quickly pinpoint exactly where the malware hides within the file. By exposing hidden payloads like <a href=\"https:\/\/any.run\/malware-trends\/xworm\" target=\"_blank\" rel=\"noreferrer noopener\">XWorm<\/a>, security teams can accelerate threat detection, reduce incident response time, and prevent costly breaches before they escalate.&nbsp;<\/p>\n\n\n\n<p>Inspecting the image\u2019s HEX data reveals a clear marker (&lt;&lt;BASE64_START&gt;&gt;) and encoded executable code, confirming the use of steganography to conceal the malicious XWorm payload.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"793\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-1024x793.png\" alt=\"\" class=\"wp-image-12068\" style=\"width:542px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-1024x793.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-300x232.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-768x595.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-370x286.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-270x209.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5-740x573.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/5.png 1444w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Static analysis of the malicious image<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>When extracted, the hidden malware deploys XWorm, granting attackers remote control over the infected system.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze emerging threats inside the safe and secure <span class=\"highlight\">ANY.RUN Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malware_evasion_techniques&#038;utm_term=110325&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. T1562.001: Disable or Modify Tools&nbsp;<\/h3>\n\n\n\n<p>Cybercriminals often attempt to disable or interfere with security software to ensure their malicious activities go unnoticed. By disrupting or modifying security tools, attackers can prevent detection, maintain ongoing access, and carry out their goals without interruption.&nbsp;<\/p>\n\n\n\n<p>They might achieve this by terminating antivirus processes, altering registry settings, or adding exclusions so their malware bypasses detection entirely.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/37cc442f-a83b-4417-a850-d7c93db0fbdb?p=67c9a2ac38f6b1d2ae6a353e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with T1562.001 technique<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2756\" height=\"1578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-1024x586.png\" alt=\"\" class=\"wp-image-12070\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-1536x879.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-2048x1173.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/6-740x424.png 740w\" sizes=\"(max-width: 2756px) 100vw, 2756px\" \/><figcaption class=\"wp-element-caption\"><em>Adding extension to the Windows Defender exclusion list inside<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In an analysis session conducted in the ANY.RUN sandbox, cyber criminals specifically targeted Windows Defender. &nbsp;<\/p>\n\n\n\n<p>They used the legitimate system tool&nbsp;sihost.exe&nbsp;(PID 2420) to quietly add file extensions to Windows Defender\u2019s exclusion list. This prevented the security software from scanning certain malicious files, allowing the attacker\u2019s payload to execute without being flagged.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"709\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-1024x709.png\" alt=\"\" class=\"wp-image-12071\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-1024x709.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-300x208.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-768x532.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-1536x1064.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-2048x1418.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-370x256.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-270x187.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-435x300.png 435w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/7-740x513.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sihost.exe with its conducted processes<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>You can also view the full map of <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK techniques<\/a> related to any analysis session. This gives security teams instant clarity on attack tactics, helping businesses speed up investigations.&nbsp;<\/p>\n\n\n\n<p>&nbsp;Simply click the&nbsp;<strong>&#8220;ATT&amp;CK&#8221;<\/strong>&nbsp;button in the upper-right corner inside ANY.RUN to learn more about specific evasion techniques.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"454\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-1024x454.png\" alt=\"\" class=\"wp-image-12072\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-1024x454.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-300x133.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-768x341.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-1536x682.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-2048x909.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-370x164.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-270x120.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/8-740x328.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE ATT&amp;CK Matrix techniques displayed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">&nbsp;<br>3. T1140 Deobfuscate\/Decode Files or Information&nbsp;<\/h3>\n\n\n\n<p>Attackers often conceal their malware using encoding or obfuscation methods to avoid detection. One common technique is encoding malicious payloads in&nbsp;Base64, turning recognizable code into what appears as harmless, random text. This method helps attackers bypass traditional security tools that might otherwise flag suspicious files or scripts.&nbsp;<\/p>\n\n\n\n<p>When the malware reaches the victim\u2019s system, it gets decoded or deobfuscated back into executable form, allowing the attack to continue undetected. Because encoded data initially looks innocent, standard security scans often miss these threats entirely, giving cybercriminals the opportunity to quietly deliver and execute their malware.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry premium features of <span class=\"highlight\">ANY.RUN<\/span> for free&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malware_evasion_techniques&#038;utm_term=110325&#038;utm_content=linktodemo\" rel=\"noopener\" target=\"_blank\">\nGet 14-day trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Attackers commonly use several methods to obfuscate or encode malicious files, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Base64 encoding:<\/strong>&nbsp;Converts malware into text strings that seem harmless and difficult to detect.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Encryption:<\/strong>&nbsp;Scrambles the payload, making it unreadable without a specific key.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compression:<\/strong>&nbsp;Reduces file size and disguises malicious code, making detection harder.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>String Obfuscation:<\/strong>&nbsp;Breaks recognizable text or commands into fragmented, obscure parts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Packing:<\/strong>&nbsp;Embeds malware within compressed or protected executables that unpack at runtime.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Script Obfuscation:<\/strong>&nbsp;Uses complex or confusing scripts to hide malicious intent.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Character Substitution:<\/strong>&nbsp;Replaces clear commands or URLs with unusual or encoded characters to evade simple scans.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/458b7bf2-0a16-4749-bbd9-97bc1f475f2e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with T1140 technique<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"690\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9-1024x690.png\" alt=\"\" class=\"wp-image-12074\" style=\"width:546px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9-1024x690.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9-300x202.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9-768x518.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9-370x249.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9-270x182.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9-740x499.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/9.png 1056w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Decoding of a binary file from Base64 detected by ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In this ANY.RUN analysis session, attackers used this exact method (PID 1164), decoding a malicious binary file from Base64. &nbsp;<\/p>\n\n\n\n<p>Using ANY.RUN\u2019s&nbsp;<strong>Script Tracer<\/strong>&nbsp;feature, analysts can immediately identify and visualize the decoded content, revealing the previously hidden malicious activity clearly and quickly, allowing security teams to accelerate threat response, minimize damage, and prevent further compromise.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1024x583.png\" alt=\"\" class=\"wp-image-12075\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1024x583.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-768x437.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-1536x874.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-2048x1166.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/10-740x421.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Script Tracer revealing the decoded content<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">4. T1564.003: Hidden Window&nbsp;<\/h3>\n\n\n\n<p>Attackers often use hidden windows to quietly carry out malicious activities without users noticing. Normally, when an application runs, it opens a visible window, alerting users to its presence. However, cybercriminals leverage built-in system and scripting features to hide these windows, making their actions virtually invisible.&nbsp;<\/p>\n\n\n\n<p>Common methods attackers use include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PowerShell Commands<\/strong>: Using commands like&nbsp;powershell.exe -WindowStyle Hidden&nbsp;to execute scripts without displaying a window.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Visual Basic and Jscript<\/strong>: Employing script functions specifically designed to launch processes silently in the background.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hidden Startup Processes<\/strong>: Configuring malware to run silently upon system reboot, with no visible window or notification.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>macOS plist Manipulation<\/strong>: Editing macOS property list (plist) files to prevent apps from appearing visibly in the dock, thus hiding malicious activities.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f7791536-5b54-4177-a9a3-efd82f2a10de\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with T1564.003 technique<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"584\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-1024x584.png\" alt=\"\" class=\"wp-image-12076\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-1024x584.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-768x438.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-1536x876.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-2048x1168.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/11-740x422.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>T1564.003 evasion technique detected inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In a real-world ANY.RUN sandbox analysis, attackers executed PowerShell using an invisible window to conceal malicious activities. Specifically, they ran the following command:&nbsp;<\/p>\n\n\n\n<p><strong>&#8220;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe&#8221; -NoProfile -ExecutionPolicy Bypass -Command &#8220;&lt;malicious_script&gt;&#8221;&nbsp;<\/strong><\/p>\n\n\n\n<p>This command executes silently without displaying any visual indicators. The script itself attempts to disable Windows Defender by downloading and executing a batch file (source.bat) quietly in the background. &nbsp;<\/p>\n\n\n\n<p>Next, it downloads a rootkit named&nbsp;MasonRootkit.exe&nbsp;from a remote GitHub repository and launches it silently, either with elevated privileges (RunAs) or as a regular user, depending on the conditions set in the script.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"805\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1024x805.png\" alt=\"\" class=\"wp-image-12077\" style=\"width:526px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-1024x805.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-300x236.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-768x604.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-370x291.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-270x212.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12-740x582.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/12.png 1058w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Dangerous activity detected inside ANY.RUN VM<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Because the entire process happens invisibly, most users see no unusual windows or alerts. Security teams using ANY.RUN can quickly uncover such hidden activities by examining detailed process execution logs and script behaviors, helping companies promptly respond to and mitigate the threat.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. T1218.010: Regsvr32&nbsp;<\/h3>\n\n\n\n<p>Cybercriminals frequently misuse trusted system utilities like&nbsp;<strong>Regsvr32.exe<\/strong>&nbsp;to quietly execute malicious DLL payloads. Since Regsvr32 is a legitimate Windows tool typically used for registering DLL files, its misuse often goes unnoticed by antivirus software and security tools.&nbsp;<\/p>\n\n\n\n<p>Attackers exploit this built-in utility to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Silently execute malicious DLL files.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Evade application control policies and antivirus detections.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintain stealthy persistence on compromised systems.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/243ece88-39ce-43d7-b0a7-203d99e0e2fd\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with T1218.010 technique<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-1024x587.png\" alt=\"\" class=\"wp-image-12079\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-768x441.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-1536x881.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-2048x1175.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/13-1-740x425.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Execution of malicious DLL payload<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In this analysis session conducted in the ANY.RUN sandbox, the victim installed the application&nbsp;ManyCam, which dropped a suspicious DLL file (VideoSrcvbm.dll) into its program directory.&nbsp;<\/p>\n\n\n\n<p>The attackers then leveraged the trusted Windows utility&nbsp;<strong>Regsvr32.exe<\/strong>&nbsp;to quietly execute this malicious DLL: regsvr32 \/s &#8220;C:\\Program Files (x86)\\ManyCam\\Bin\\VideoSrcvbm.dll&#8221;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"481\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-1024x481.png\" alt=\"\" class=\"wp-image-12080\" style=\"width:580px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-1024x481.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-300x141.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-768x361.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-370x174.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-270x127.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14-740x348.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/14.png 1060w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suspicious DLL file dropped <\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Because this DLL execution used the legitimate&nbsp;Regsvr32.exe&nbsp;tool, it avoided standard security detections, allowing attackers to maintain stealth and persist unnoticed.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Quick Detection of Evasion Techniques with ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>As we can see, one of the fastest ways to uncover evasion techniques is by analyzing suspicious files using the ANY.RUN sandbox. &nbsp;<\/p>\n\n\n\n<p>Within seconds, ANY.RUN visually maps the complete attack flow, clearly displaying all relevant MITRE ATT&amp;CK tactics and techniques involved. This helps security teams quickly understand attack patterns, prioritize threats, and make faster, data-driven response decisions to protect business assets.&nbsp;<\/p>\n\n\n\n<p>To quickly understand the techniques used in a particular attack :&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open your analysis session in the ANY.RUN sandbox.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-1024x587.png\" alt=\"\" class=\"wp-image-12082\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-1536x881.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-2048x1174.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/15-1-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Click on the&nbsp;<strong>&#8220;ATT&amp;CK&#8221;<\/strong>&nbsp;button located in the upper-right corner.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"309\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2-1024x309.png\" alt=\"\" class=\"wp-image-12086\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2-1024x309.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2-300x91.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2-768x232.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2-370x112.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2-270x82.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2-740x224.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/16-2.png 1278w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Instantly view a detailed map of the attacker\u2019s tactics and techniques.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"443\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1024x443.png\" alt=\"\" class=\"wp-image-12083\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1024x443.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-300x130.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-768x332.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-1536x664.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-2048x886.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-370x160.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-270x117.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/17-740x320.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Click any technique for an in-depth explanation, additional context, and deeper insights.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"713\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18-1024x713.png\" alt=\"\" class=\"wp-image-12084\" style=\"width:582px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18-1024x713.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18-300x209.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18-768x535.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18-370x258.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18-270x188.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18-740x516.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/18.png 1418w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>Cybercriminals continuously refine their evasion tactics, making threat detection and response harder. Techniques like&nbsp;steganography, disabling security tools, script obfuscation, hidden windows, and Regsvr32 abuse&nbsp;allow attackers to bypass defenses and maintain access.&nbsp;<\/p>\n\n\n\n<p>For&nbsp;businesses and security teams, recognizing these tactics is important to&nbsp;protect sensitive data, maintain compliance, and prevent costly breaches. Without clear visibility into attacker methods, organizations risk financial loss, reputational damage, and prolonged intrusions.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"ANY.RUN cloud interactive sandbox interface\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Sandbox for Businesses<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nDiscover all features of the <span class=\"highlight\">Enterprise plan<\/span> designed for businesses and large security teams.\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-for-enterprises\/\"><div class=\"cta__split-link\">See details<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p><a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s interactive sandbox<\/a> gives&nbsp;you&nbsp;the&nbsp;real-time visibility&nbsp;you need to detect even the most advanced evasion techniques. Within seconds, you can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>See the full attack flow&nbsp;mapped with MITRE ATT&amp;CK techniques.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analyze suspicious files&nbsp;in an isolated environment without risk to your network.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect hidden threats&nbsp;that traditional security tools might miss.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get instant insights&nbsp;to improve response times and mitigate risks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate well-structured reports&nbsp;with&nbsp;IOCs and key findings, making it easy to share crucial threat intelligence with your team.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_evasion_techniques&amp;utm_term=110325&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request trial of ANY.RUN&#8217;s services for your company \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals are constantly refining their methods to stay one step ahead of security defenses. One of their key tactics is evasion, a set of techniques designed to hide malicious activity, bypass detection, and make investigations much more difficult for security teams.&nbsp; Over time, attackers have developed countless evasion techniques, and they continue to evolve as [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":12249,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[10,15,34],"class_list":["post-12036","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-cybersecurity","tag-malware","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>5 Common Evasion Techniques in Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Explore how malware evades detection using steganography, obfuscation, Regsvr32 abuse, and other techniques with real-world samples.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"y.shvetsov\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\"},\"author\":{\"name\":\"y.shvetsov\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"5 Common Evasion Techniques in Malware\u00a0\",\"datePublished\":\"2025-03-11T14:00:28+00:00\",\"dateModified\":\"2025-03-19T06:51:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\"},\"wordCount\":2090,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"cybersecurity\",\"malware\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\",\"name\":\"5 Common Evasion Techniques in Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-03-11T14:00:28+00:00\",\"dateModified\":\"2025-03-19T06:51:02+00:00\",\"description\":\"Explore how malware evades detection using steganography, obfuscation, Regsvr32 abuse, and other techniques with real-world samples.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"5 Common Evasion Techniques in Malware\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"y.shvetsov\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"caption\":\"y.shvetsov\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"5 Common Evasion Techniques in Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Explore how malware evades detection using steganography, obfuscation, Regsvr32 abuse, and other techniques with real-world samples.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/","twitter_misc":{"Written by":"y.shvetsov","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/"},"author":{"name":"y.shvetsov","@id":"https:\/\/any.run\/"},"headline":"5 Common Evasion Techniques in Malware\u00a0","datePublished":"2025-03-11T14:00:28+00:00","dateModified":"2025-03-19T06:51:02+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/"},"wordCount":2090,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["cybersecurity","malware","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/","url":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/","name":"5 Common Evasion Techniques in Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-03-11T14:00:28+00:00","dateModified":"2025-03-19T06:51:02+00:00","description":"Explore how malware evades detection using steganography, obfuscation, Regsvr32 abuse, and other techniques with real-world samples.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"5 Common Evasion Techniques in Malware\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"y.shvetsov","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","caption":"y.shvetsov"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12036"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=12036"}],"version-history":[{"count":25,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12036\/revisions"}],"predecessor-version":[{"id":12172,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12036\/revisions\/12172"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/12249"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=12036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=12036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=12036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}