research poc
Bloo Research Demonstrates Windows Defender Bypass Using XOR-Encrypted Metasploit Shellcode and Custom LoaderMSFDefender
Bloo's TRI team executed a research project to evaluate Windows Defender's detection of Metasploit payloads. They found that directly generated EXE payloads were blocked, but by exporting raw shellcode, applying XOR encryption, and using a custom C loader, they bypassed Defender's real-time protection and static scanning. The research also explored the Script Web Delivery module for fileless execution.