research poc
KaplaStrike Reflective Loader Bypasses EDR via Module Overloading, Call Stack Spoofing, and Sleep MaskingKaplaStrike
Lorenzo Meacci published a proof-of-concept reflective loader named KaplaStrike that combines multiple evasion techniques to bypass a leading EDR. The loader demonstrates module overloading with .pdata registration, NtContinue entry transfer, API call stack spoofing via Draugr, sleep masking, and Crystal Palace YARA signature removal. The research explains the rationale behind each technique to evade static and behavioral detection, including call stack inspection and userland ETW.