Features
The recruitment process
Those famously unbiased, next‑gen XDR/NGAV solutions that never miss a thing
LLVM-EX howto
A kernel‑level network connection hiding malware
A great invasion of your privacy
Data breach
Kernel-mode anti-cheat
HEX DEREF ANTI-MALWARE X: Zero-Trust mode at the application/process level
An unknown malware threat - UNKNOWN-123
- Browsing history including Tor-browser
- Process list
- Processes command‑line data and network connections
- Internal network URLs may also end up being sent, since it may not be able to tell internal addresses apart from external ones
- File history
OV code‑signing
EV code‑signing
Usually files are named according to what they relate to. For example Supplier_shipments_03-2025.xlsx or Packaging_equipment_project_xyz.xlsx. It all depends on the company's naming standard. When a traditional anti-virus solution performs a "Scan all files" operation (IoC), it could, in principle, enable industrial espionage without the user's awareness, based solely on file names.
To my understanding, no endpoint protection product or kernel-level anti-cheat mechanism is permitted to transmit any files from a device without first obtaining explicit user consent; doing so would be functionally comparable to an information-stealing malware. In many products, automatic sample submission is enabled by default.
As a result, personal data may be sent from your device. At some point you have to trust something. The test malware mentioned in the article does not send anything out from the device — and even if it did, the data it sends is not used for any malicious purpose. There are no guarantees about how the data is used or who can access it, despite the polished privacy statements. And if we consider features like protected folders, that alone would already point to a very clear place to start…
Data breachKernel-mode anti-cheat
Using a tool like llvm-msvc-ex to virtualize your malware can significantly increase the complexity of reverse engineering or modifying the code. This is because virtualization techniques, such as control flow flattening, bogus control flow, and VM-based obfuscation, make the malware harder to analyze and understand. These techniques can deter attackers or researchers from tampering with or reverse engineering the malware. With the right LLVM-EX obfuscation passes, a C/C++ malware sample automatically becomes a unique version that pretty much evades all malware analysis sandboxes. Reversing an LLVM‑virtualized piece of malware (especially reversing the C2 communication) requires significant expertise, time, and money. It demands a highly skilled professional team. As a loader-type malware, each version is automatically unique (string encryption and so on). Static detection therefore lags far behind, and based on my initial tests, this got through of all enterprise solutions — even those that proudly advertise themselves as so‑called leading solutions. Likely renders even a sophisticated sandbox largely ineffective, ultimately forcing a dynamic analysis.
Note that this LLVM‑EX version has been modified so that it can virtualize only the functions you choose. Because if we're talking about a P2C, you obviously can't obfuscate the entire executable for reasons that should be quite self‑evident. Sandbox environments static analysis may interpret this as a polymorphic malware. 1-3/72 security vendors flagged this file as malicious so I almost defeated every static analysis sandbox. So much for a 100% detection. I tested them all with an unknown threat. A sophisticated modularized info-stealing malware written in C/C++.
Those famously unbiased, next‑gen XDR/NGAV solutions that never miss a thingHow can you do threat hunting for new, unknown threats with such limited or non-existent process and command‑line data — not to mention the missing process network connections? You can't easily determine the root cause of a breach at the process or device level if the device user or SOC doesn't have unrestricted access to this crucial information. Or can you? If you've read even a single analysis of a somewhat sophisticated ransomware strain, you'll know that even today's basic ramsonware variants wipe all logs and make forensic analysis on the disk extremely difficult, if not nearly impossible.
Full size
An endpoint security solution that doesn't even inform the user at a basic level about possible malware persistence has received full scores/awards in these tests. The site refers to an award‑winning solution. My intention was also to highlight the misleading product marketing used on these sites. This is highly questionable behavior and amounts to distorting fair competition. Customers end up purchasing a product that does not match the description advertised on the website. A malware analyst from the same company — or another one — writes an article about the malware's persistence. But why doesn't their own solution even notify the user that a process added persistence? Or maybe they sacrificed features for the sake of stability, leaving the product mostly with static detection.
Some endpoint security solutions advertise a 100% detection rate. Makes me wonder if there's some bias in these tests, since none of them answered my question about whether they have ever tested with previously unpublished malware that has no static detection. Whenever someone releases something for free, it undermines the competition. And then when you try to build something commercial around the same idea, the first thing people ask is: what makes yours better, and why should anyone pay for it — especially when Windows Defender is free. With investors, even garbage can turn into a scam.
An endpoint security solution that does not even alert the user about behavior that is clearly characteristic of malware, not even at the most basic level. This information has been publicly available for at least a decade, long before generative AI existed. So how is it possible that such a product has received perfect scores in every test?
Free anti-virus isn't actually free; the collected data covers the development costs — at least as far as I understand. Full scores have been achieved in several tests, and the product has become award‑winning. These tests are the basis on which people buy these products.
There is no solution on the market that achieves 100% detection. It is also important to note the misleading marketing claims found on various vendor websites, where long market presence is implied to equal superior protection. Market research shows that many, if not most, vendors sell multiple product versions under different names, even though the actual technical differences between them are often purely cosmetic. The screenshot below, captured during my unbiased testing, supports my claims.
The detections are primarily caused by a classic false positive caused by virtualization/obfuscation.
By reading the /r/Malware subreddit. It becomes clear that new malware and their variants emerges daily. An anti‑virus solution that relies solely on static signature‑based detection is a thing of the past. And honestly, if an endpoint protection product can't even alert the user when a program exhibits behavior typical of malware, that should raise serious concerns. What other approach besides kernel‑level allow‑listing based endpoint protection can realistically stay ahead of these threats? Solutions like HEX DEREF ANTI‑MALWARE X demonstrate why deeper, kernel‑integrated defenses matter.
An LLVM‑virtualized piece of malware can bypass virtually all static detection mechanisms and turn analysis into an excessively time‑consuming process (as shown above). Although competing vendors may publish articles about their malware‑analysis capabilities, my preliminary testing suggests that many of the issues highlighted in those write‑ups remain unaddressed in the actual product implementations. It reminds me of a situation where a professional team was hired to analyze malware but chose not to consult the developers responsible for the kernel‑level sensor — a rather puzzling decision.
When you look at the industry's marketing, certifications, and the flawless scores handed out by testing labs, it's easy to believe that today's security products are fully prepared for real‑world threats. But the reality is far less reassuring. When an actual, modern cyberattack strikes, all those polished numbers and promises evaporate in seconds. That's the moment when the thinness of the protective layer becomes painfully obvious — and it happens only after the damage is already done. Organizations discover too late that the tests never reflected real adversaries, and the marketing never told the whole story. A cyberattack doesn't wait for anyone to update reports or adjust scoring criteria. It exposes what works and what doesn't, and it does so only after the consequences are already irreversible.
You've positioned yourselves as some sort of authoritative entity — so isn't this exactly the kind of thing that borders on knowingly misleading investors? Not to mention undermining fair competition.
When I applied for these positions (for example, a Windows kernel sensor developer. This already requires highly specialized expertise), I attached a clear proof‑of‑concept video to my application — which, in most cases, was exactly what the job posting was asking for. I got the impression that these recruiters don't even conceptually understand how malware or endpoint protection works, and therefore have no real idea who they should be hiring.
In most cases I didn't receive even a basic reply. It made me wonder whether they're just using fake job postings to collect as much information for free as possible.
The skill set presented in this article doesn't seem to meet the expectations of these recruiters. The videos attached to the article were produced with the dedication of a single person over a long period of time, yet they still weren't good enough for those who only crave shallow, trivial content. Your product development simply can't keep up with the competition when you refuse to hire the right talent.
The recruitment process somehow seems to support the idea that sensitive data is being collected without permission under the pretext of various features — unless the entire solution has been deliberately designed for spying on the user in this case, the endpoint security solution ends up turning against the very company it was originally meant to protect.
Kernel‑level malware - Capable of hiding a network connection at the process level (Windows 10 22H2 - Windows 11 25H2)
- Block process network queries entirely, or only for a specific process PID
Hiding a process's network activity from other applications. Hide connections belonging to a specific browser or VPN process. This is a unique C/C++ user‑mode (UM) / (KM) Windows kernel‑driver implementation. This allows you to limit which user processes may request network connections. The kernel‑level equivalent of netstat -ano. It even works in a manually mapped driver. This isn't about hiding from the user — it's about hiding from malware. Even malware running with only standard user privileges can map internal network addresses and the processes that connect to them. And since the kernel‑level attack surface has been overlooked for years, the most severe ransomware attacks can still succeed. And now, with that same capability, it is also possible to hide the network activity of a RAT‑type malware including C2-communication.
Network connection hiding – Hide network connections from tools like netstat, and also from any other user‑mode processes that query connection information through the NSI layer. As a malware‑analysis feature, this is a useful capability. You can immediately see all user processes that are querying other processes network connections. It was a blind spot — a quiet for at least a decade, undocumented subsystem that malware could hook without triggering PatchGuard.
Isn't it strange that something like this still slips past of these endpoint security products, and yet the testers keep handing out perfect scores in every single test.
https://securelist.com/daemon-tools-backdoor/119654/This is precisely why HEX DEREF ANTI‑MALWARE X logs all process network connections into its database without restrictions, and why home users have the option to disable this feature — the solution respects user privacy, unlike all the others.
Does the reader now understand what this is about? Shouldn't the privacy statement clearly mention that it logs all process network connections? Think about a person who works remotely and connects from a home device to the company network. If it's, for example, remote support, the cybersecurity software on that device ‘sees' which company network process X connected to. In a wartime situation at the latest, the data that has been collected may start being used for cyberattacks.
This kind of thing has been running around undetected on both personal and corporate devices for, what, about a decade now on users devices without them having the slightest clue.
I published this project for several reasons. One of the reasons is to support my job applications. Secondly, something like this is needed for testing the logic of an endpoint security solution — and of course for unbiased XDR/NGAV endpoint security product testing. That is why the test project's UNKNOWN-123 source code is available for purchase as a software work for educational and informational purposes only — so you can literally see for yourselves that you have been sold nothing more than pseudo‑cybersecurity for years. Because NIS2, DORA, and GDPR require organizations to regularly test their cybersecurity posture, the author published this article using an advanced Red Team test malware that simulates real‑world cyberattacks.
The source code is sold as software work for APT simulation, which mirrors a real cyberattack. None of the endpoint security vendors have any sample of this. That's why the project is fittingly named UNKNOWN‑123.
FeaturesCoded in C/C++. It operates and performs actions depending on whether it is running as a regular user or with administrator privileges. The settings are configured in the Config.h file, meaning it cannot be identified based on command‑line parameters. LLVM‑EX virtualization makes every build unique, so static detection does not work against it.
- Anti-VM
- Anti-Debug
- Anti-Inject
- Anti‑Static analysis
- IAT Hiding
- Clipboard DATA
- Disk serials (NVMe etc.)
Anti-VM: Sandbox aware malware can render even a sophisticated sandbox largely ineffective, ultimately forcing a manual analysis. If malware detects that it is running in a virtual machine, it may refrain from executing any malicious actions.
All of these features are commonly used in commercial software to provide even a basic level of copy protection.”. For example, using the disk's serial number allows you to bind the license to a specific device. And for obvious reasons, any function related to copy‑protection must of course be virtualized.
If you have a company and your own legitimate EV code‑signing certificate, send me an email from your company address if you're interested in some kind of collaboration. Please also include your Telegram in the email. Thank you.