editorially independent. We may make money when you click on links
to our partners.
Learn More
A new Moonwalk++ proof-of-concept (PoC) shows how malware can spoof Windows call stacks while staying encrypted in memory, bypassing modern EDR detection.
The research highlights blind spots in stack-based telemetry increasingly relied on by enterprise defenders.
“Public detection tools fail entirely to recognize the call stack tampering,” said the researcher.
Moonwalk++ Shows the Limits of Stack-Based Detection
Moonwalk++ is a proof-of-concept evasion technique that does not exploit a specific vulnerability or CVE.
Instead, it targets assumptions embedded in modern endpoint detection and response (EDR) tooling, particularly those that rely on Windows call stack telemetry to identify code injection, shellcode execution, and post-exploitation behavior.
Any organization that places significant defensive weight on call stack validation, module provenance, or stack unwinding heuristics could be affected if similar techniques are incorporated into real-world malware.
Researchers at Elastic Security have published guidance on detecting malicious call stacks by validating CALL instructions, confirming trusted module resolution, and analyzing memory characteristics.
Moonwalk++ was explicitly designed to evade protections based on this approach. This demonstrates how mature detection logic can itself become a target for attackers.
Technically, Moonwalk++ extends prior stack spoofing research by combining multiple evasion techniques into a single, cohesive execution flow that preserves the appearance of legitimate execution at every stage.
First, it bypasses call instruction validation by leveraging naturally occurring instruction gadgets within Windows binaries that already contain valid CALL instructions at expected offsets, allowing forged return addresses to pass integrity checks.
Second, it bypasses module resolution checks by injecting shellcode into trusted processes like OneDrive.exe and sourcing spoofed stack frames from the process’s own image base, making traces appear legitimate.
Finally, Moonwalk++ encrypts its in-memory payload using custom ROP chains while preserving a clean, unwindable call stack.
Together, these techniques let malware execute and persist entirely in memory while presenting a normal-looking call stack that undermines advanced detection telemetry.
Why Call Stack Detection Failed Against Moonwalk++
Testing showed that common detection techniques such as Hunt-Sleeping-Beacons, Get-InjectedThreadEx, and Eclipse failed to detect Moonwalk++ activity.
In these cases, the tools reported no meaningful indicators of compromise because the call stacks generated by Moonwalk++ fully satisfied their validation criteria.
Only tools that focus on broader memory obfuscation artifacts, such as hollows_hunter, surfaced anomalies, and even then detection occurred through indirect indicators like unusual memory protections rather than through call stack analysis itself.
These failures expose a core weakness in stack-based detection, which assumes malicious execution will eventually appear abnormal.
Moonwalk++ challenges this assumption by demonstrating that attackers who tightly control execution context can construct call stacks that remain internally consistent, unwind correctly, and resolve entirely to legitimate modules.
When every layer of the stack aligns with what defenders expect to see, even advanced telemetry loses its discriminating power.
This shifts the detection problem away from identifying “bad-looking” execution and toward recognizing subtle behavioral or memory-level signals that remain difficult to monitor reliably at scale.
Strengthening Detection Against EDR Evasion
The following measures outline practical ways organizations can strengthen detection and reduce risk from advanced evasion techniques.
- Treat call stack telemetry as a supporting signal and correlate it with memory changes, thread activity, API usage, and process lineage.
- Monitor trusted processes that rarely execute dynamic code for anomalous behavior or injection activity.
- Strengthen detection by layering behavioral, memory, and execution-context signals rather than relying on a single technique.
- Test and validate detection logic through adversary emulation and red-teaming to identify evasion blind spots.
- Apply tighter controls around dynamic code execution, memory protection changes, and return-oriented programming behavior.
Taken together, these steps help improve resilience by reducing reliance on any single detection method.
When Detection Logic Becomes the Target
Moonwalk++ reflects a broader shift in attacker tradecraft in which malware is no longer focused solely on avoiding detection, but is deliberately engineered to exploit the underlying assumptions and heuristics defenders rely on.
By targeting how security tools interpret telemetry rather than the telemetry itself, techniques like Moonwalk++ highlight an evolving adversary mindset that treats detection logic as a primary attack surface.
This evolution reinforces why many organizations are turning to zero-trust.
