Listen to this Post
Introduction: When Trust in the Call Stack Becomes a Liability
For years, modern Endpoint Detection and Response (EDR) platforms have leaned heavily on Windows call stack analysis as a trusted signal for identifying malicious behavior. The logic was simple: if sensitive APIs are called from suspicious origins, defenders can trace the execution chain and stop the attack. New research into a technique called Moonwalk++ now challenges that assumption at a fundamental level. By allowing malware to forge realistic Windows call stacks while remaining encrypted during execution, Moonwalk++ reveals how deeply attackers can manipulate the very telemetry defenders rely on, exposing a dangerous detection gap in widely deployed security tools.
Summary of the Original Research
Moonwalk++ is an advanced malware evasion technique that enables attackers to fake Windows call stacks in memory, effectively misleading EDR products into believing malicious activity originates from legitimate system components. Building on earlier “Stack Moonwalking” research, the technique demonstrates that attackers can fully forge the call chain, redirecting attribution away from the actual payload and toward trusted Windows functions. This directly undermines security platforms, including Elastic Security, that depend on call stack inspection to flag suspicious API usage.
At a technical level, Moonwalk++ abuses Windows’ function call tracking mechanisms. Normally, when malware invokes sensitive APIs such as process creation, thread injection, or memory allocation, EDR tools inspect the call stack to determine which module initiated the request. Moonwalk++ manipulates this chain so the true attacker is hidden, while the call stack appears to originate from legitimate Windows binaries.
What makes Moonwalk++ especially dangerous is its ability to keep the malicious payload encrypted during execution. Earlier Stack Moonwalking techniques struggled with this limitation because encryption disrupted the strict execution patterns required to maintain a forged call stack. Moonwalk++ overcomes this barrier through sophisticated stack manipulation, allowing encryption and evasion to coexist.
In testing, researchers injected Moonwalk++ into trusted Windows processes such as OneDrive.exe and evaluated detection using popular open-source tools including Hunt-Sleeping-Beacons, Get-InjectedThreadEx, and Hollow’s Hunter. All failed to detect the malicious activity. The technique successfully removed direct references to malicious code, fabricated legitimate Windows origins, and concealed suspicious memory regions.
The findings highlight a growing problem in defensive strategy. Relying solely on call stack analysis creates a single point of failure that attackers can increasingly exploit. The researchers argue that defenders must move toward multi-layered detection strategies that include behavioral monitoring, memory analysis, and API usage profiling. To support defensive research, the authors released their proof-of-concept code publicly on GitHub, enabling the security community to study and adapt to these advanced evasion techniques.
What Undercode Say:
Call Stack Trust Is No Longer a Safe Assumption
The most important takeaway from Moonwalk++ is not the cleverness of the technique itself, but what it reveals about defender psychology. Call stacks have been treated as a near-ground-truth signal, especially for post-exploitation detection. Moonwalk++ proves that this trust can be systematically abused.
EDR Heuristics Are Becoming Predictable
Attackers did not stumble upon this weakness by accident. The heavy industry focus on stack-based detection has made EDR behavior increasingly predictable. Moonwalk++ feels less like a breakthrough and more like the natural evolution of offensive research responding to defensive monoculture.
Encryption During Execution Changes the Game
Earlier evasion techniques often forced attackers to choose between stealth and payload protection. Moonwalk++ removes that tradeoff. Encrypted execution combined with forged call stacks means malware can remain both hidden and resilient against memory scanning.
Legitimate Process Abuse Remains Highly Effective
The successful injection into OneDrive.exe reinforces a long-standing truth: trusted processes remain one of the most valuable assets for attackers. As long as EDR tools grant implicit trust based on process identity and call stack lineage, abuse of signed binaries will continue to scale.
Open-Source Detection Tools Lag Behind Reality
The failure of tools like Hunt-Sleeping-Beacons and Hollow’s Hunter is not an indictment of their developers, but a warning sign. Many defensive tools encode assumptions about attacker limitations that no longer hold true in modern threat models.
Memory Telemetry Is Still Underutilized
Moonwalk++ succeeds in part because defenders struggle to reason about live memory state at scale. Subtle anomalies in stack layout, memory permissions, and execution timing remain difficult to operationalize, leaving attackers room to maneuver.
Behavioral Context Matters More Than Origins
If defenders focus solely on where an API call appears to originate, they miss why it is happening. Behavioral context—frequency, timing, and correlation with other actions—offers a more resilient detection surface than origin tracing alone.
Multi-Layered Detection Is No Longer Optional
The research strongly reinforces a long-standing defensive principle: no single telemetry source is sufficient. Stack analysis, memory inspection, behavior analytics, and anomaly detection must be combined, not siloed.
Public Proof-of-Concepts Accelerate Defensive Maturity
By releasing the Moonwalk++ code publicly, the researchers have forced the industry to confront this weakness openly. While such releases carry risk, they also accelerate the hardening of detection logic across vendors and open-source projects.
The Arms Race Is Tilting Toward Sophistication
Moonwalk++ is not a mass-exploitation technique yet, but it signals where advanced threat actors are heading. As evasion becomes more surgical and environment-aware, defenders must abandon simplistic heuristics in favor of adaptive, data-driven models.
Fact Checker Results
✅ Moonwalk++ is a real research technique designed to forge Windows call stacks and evade EDR detection.
✅ Testing confirmed evasion against multiple widely used detection tools in controlled environments.
❌ There is no public evidence yet of Moonwalk++ being used in large-scale, real-world attacks.
Prediction
The techniques demonstrated by Moonwalk++ will rapidly influence next-generation malware frameworks ⚠️.
EDR vendors will respond by reducing reliance on call stack trust and increasing behavioral correlation 🔍.
Defenders who fail to adapt to post-stack evasion models will face growing detection blind spots 🚨.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
