Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation

This blog post describes a Fox-IT research project that implements a custom bytecode virtual machine combined with an in-place instruction encryption scheme and a polymorphic mutation engine to execute position-independent payloads entirely in memory. The system supports transpiling C/C++ into bytecode, native API calls, DLL embedding, multi-VM execution to interleave benign events, and payload staging—techniques intended to evade static signatures and dynamic heuristic/EDR detections and reported as effective in red-team/TIBER engagements.