Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
New Windows Attack Method Evades Leading Security Tools

New Windows Attack Method Evades Leading Security Tools

Posted on July 10, 2026 By CWS

A groundbreaking Windows attack technique has surfaced, demonstrating how malicious actors can embed harmful code into legitimate processes while eluding detection by prominent endpoint security solutions. This method, known as Process Parameter Poisoning, represents a novel approach by leveraging data typically used when Windows initiates a program, rather than directly injecting code into another process.

Understanding the Technique

Although the research is not linked to any active malware or confirmed attacks, it is significant as process injection is a common tactic used by malware to blend in with trusted programs, masking its activities. This technique can be adapted by attackers who already have a foothold on a Windows system, enabling them to execute code undetected.

Researchers from the GitHub project highlighted that their loader successfully bypassed detection in tests against four major Endpoint Detection and Response (EDR) tools. This discovery underscores a vulnerability in current defenses, which primarily focus on traditional memory-writing and process creation behaviors.

Technical Insights

Orange Cyberdefense, in a report shared with Cyber Security News, explained that the method stages shellcode within a new process’s startup data and modifies its primary thread to execute this code. The public project, P-Shellcode Loader, is intended as a piece of security research rather than a malicious tool.

Typically, process injection involves recognizable steps, such as opening a target process, allocating memory, writing the code, and initiating a thread. Security software often flags these operations. However, the new approach utilizes the CreateProcessW function to copy command-line data, environment variables, and startup settings into the Process Environment Block (PEB), effectively “poisoning” a process parameter.

Implications for Cybersecurity

The loader exploits the command line, environment block, or lpReserved startup field, which Windows maps to ShellInfo. By reading the target process’s PEB and finding the stored data with memory-read functions, it circumvents conventional remote-memory allocation and writing calls that many EDR systems detect.

Once the program starts, the technique alters memory permissions to execute the payload. Instead of creating a remote thread, it modifies the instruction pointer of the new process’s main thread using NtSetContextThread, thus steering regular program execution towards the injected code.

Tests revealed that the loader does not need to suspend the target process, a common sign of process hollowing techniques. This reduction in visible operations diminishes the trail left for behavior-based defenses, although it does not completely conceal the activity.

Enhancing Detection Strategies

This research highlights the need for security teams to extend their focus beyond conventional alerts for memory allocation and remote-thread creation. Monitoring should include unusual CreateProcessW inputs, such as unexpectedly long command lines and abnormal environment data.

Combining process creation with rapid thread-context changes can expose broader attack sequences. Security professionals should scrutinize processes whose startup parameters do not align with expected roles, particularly when followed by NtQueryInformationProcess queries and PEB reads.

The proof of concept demonstrates limitations, such as the inability to copy raw shellcode with null bytes intact, addressed by generating code without null bytes and using staged routines to rebuild payloads. For defenders, validating detections against this pattern and expanding telemetry around process startup data is essential. While application allowlisting and least-privilege controls cannot eliminate this threat, they can mitigate the risk of code execution.

Cyber Security News Tags:cyber defense, cyber threat, Cybersecurity, EDR evasion, endpoint detection, malware techniques, process creation, process environment block, process injection, process parameter poisoning, security research, security tools, shellcode injection, thread manipulation, Windows security

Post navigation

Previous Post: Injective Labs GitHub Breach Exposes Crypto Wallets

Related Posts

ASP.NET Developers Targeted by Malicious NuGet Packages ASP.NET Developers Targeted by Malicious NuGet Packages Cyber Security News
Google Enhances Chrome Security with Device-Bound Sessions Google Enhances Chrome Security with Device-Bound Sessions Cyber Security News
Dark Web Job Market Evolved Dark Web Job Market Evolved Cyber Security News
Iranian Group Utilizes SEO Tactics for Malware Distribution Iranian Group Utilizes SEO Tactics for Malware Distribution Cyber Security News
1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities 1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities Cyber Security News
Sharepoint 0-day, Vmware Exploitation, Threats and Cyber Attacks Sharepoint 0-day, Vmware Exploitation, Threats and Cyber Attacks Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • New Windows Attack Method Evades Leading Security Tools
  • Injective Labs GitHub Breach Exposes Crypto Wallets
  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • New Windows Attack Method Evades Leading Security Tools
  • Injective Labs GitHub Breach Exposes Crypto Wallets
  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark