Modern attacker tradecraft has shifted from writing malware to weaponizing what already exists. The 2025 CrowdStrike Global Threat Report found that 79% of attack detections involved no malware at all. The techniques catalogued here reflect that reality: attackers who abuse legitimate drivers, built-in Windows binaries, Unicode properties, and trusted cloud services to execute attacks that leave traditional security tools with nothing to detect.
This guide maps modern Windows attack techniques across four categories: EDR and endpoint evasion, malware delivery, stealth and persistence, and command-and-control infrastructure. Each technique links to a full technical deep-dive.
EDR and Endpoint Evasion
BYOVD — Bring Your Own Vulnerable Driver
The most impactful EDR evasion technique active in 2026. Attackers load a legitimate, Microsoft-signed driver that contains a known vulnerability — then exploit that driver to execute code at the Windows kernel level. From the kernel, they terminate EDR processes, disable telemetry, and install rootkits before deploying their actual payload.
As of March 2026: 54 EDR killer tools abuse 35 distinct signed drivers. The technique is no longer a nation-state exclusive — RansomHub, BlackByte, Akira, and Scattered Spider all use BYOVD. The shared EDRKillShifter tool functions as BYOVD-as-a-service for the criminal ecosystem.
Detection requires catching the driver load before the exploit runs — Sysmon Event ID 6 (driver loaded) cross-referenced against known-bad driver hashes. Once EDR is dead, it stops generating telemetry. The window is narrow.
BYOVD: How Attackers Use Legitimate Drivers to Kill Your Security Tools — real-world examples from Lazarus, RansomHub, BlackByte, and Scattered Spider; detection with Sigma rules; HVCI and WDAC mitigations.
LOLBins — Living Off the Land Binaries
When malware-free is the goal, attackers use Windows’ own tools. certutil.exe downloads payloads. mshta.exe executes remote scripts. regsvr32.exe loads scriptlets that bypass AppLocker. rundll32.exe runs DLLs — including comsvcs.dll, which can dump LSASS credentials without any external tooling.
The January 2026 Remcos/NetSupport RAT campaign ran from phishing email to persistent remote access using zero custom malware — every step used a Microsoft-signed binary. The kill chain: forfiles → mshta → PowerShell → curl.exe → tar.exe → persistence via reg.exe.
Newer LOLBins (curl.exe, tar.exe, MAVInject.exe) have far less mature detection coverage than the classics. Chained LOLBin sequences are harder to catch than individual abuses — each step looks benign in isolation.
LOLBins in 2026: How Attackers Use Windows Against Itself — full toolkit breakdown, the 2026 RAT attack chain, KQL detection rules, and Sysmon configuration for behavioral coverage.
Delivery and Initial Access
ClickFix, FileFix, Pastejacking
Social engineering evolved past “open the attachment.” ClickFix attacks display a fake error message or CAPTCHA, then instruct the victim to paste a command into PowerShell or the Run dialog to “fix” it. The victim sees a legitimate-looking prompt. What they paste is attacker-controlled code, pre-loaded into their clipboard without their knowledge — pastejacking.
The technique requires no technical vulnerability. It exploits the gap between what users see and what their clipboard contains. Variants include FileFix (fake file corruption) and JackFix (fake browser extension issues). Nation-state actors and criminal ransomware groups are both using these techniques at scale.
The ‘Fix’ Is the Exploit: ClickFix, FileFix, JackFix and Pastejacking Attacks Explained — how the attack mechanics work, real-world campaigns, detection, and user awareness guidance.
Invisible Characters as Weaponized Unicode
Unicode includes hundreds of invisible, zero-width, and directional control characters — and they are being actively weaponized. The attacks include:
- Trojan Source (CVE-2021-42574) — bidirectional control characters reorder how code appears in an editor versus how it executes, hiding backdoors in plain sight during code review
- Invisible payload injection — Unicode tag characters (U+E0000 range) embed hidden instructions in text; AI models read and execute them while humans see nothing
- Copy-paste terminal attacks — web pages inject invisible characters into copyable content that execute commands when pasted into a terminal
Invisible Characters as an Attack Vector — technical breakdown of each character class, real attack scenarios in GitHub repositories and AI agent sessions, and detection tooling.
LNK Shortcut Spoofing (CVE-2025-9491)
Windows .lnk shortcut files display one target to the user while silently executing another. CVE-2025-9491 made this a zero-interaction vulnerability — a specially crafted LNK file could execute arbitrary code when a folder containing it was opened, with no click required.
Five distinct spoofing techniques, how Explorer is deceived, and why LNK files remain a persistent initial access vector despite decades of patches.
Trust Me, I’m a Shortcut: How LNK Files Lie to Windows Explorer — CVE-2025-9491 technical analysis, all spoofing variants, and Sysmon-based detection.
Stealth and Persistence
NTFS Alternate Data Streams
The NTFS filesystem supports multiple data streams per file — the main content is just one of them. Attackers use Alternate Data Streams (ADS) to hide executables, scripts, and exfiltrated data inside innocent-looking files. A text file can carry a hidden executable in its ADS. That executable is invisible to directory listings and most file browsers.
The technique predates modern Windows but remains effective because ADS content does not appear in standard dir output or most file analysis tools.
Hidden in Plain Sight: NTFS Alternate Data Streams and How Attackers Abuse Them — ADS mechanics, malware use cases, PowerShell and Sysinternals detection, and Sysmon Event ID 15 (file stream created).
Zombie ZIP — CVE-2026-0866
A two-byte manipulation of a ZIP archive header causes 50 of 51 antivirus engines to scan compressed noise instead of the actual payload. The archive appears empty or corrupted to security tooling while decompressing normally for the victim.
CVE-2026-0866 demonstrates that AV signature scanning against archive formats is structurally fragile — a single parser implementation difference is enough to blind the entire signature-based detection layer.
Zombie ZIP: How a Malformed Archive Header Blinds 98% of Antivirus Engines — technical breakdown of the header manipulation, affected engines, attack delivery scenarios, and behavioral detection alternatives.
Command-and-Control Infrastructure
C2 Without Owning Infrastructure
Modern C2 does not require attacker-owned servers. Attackers use services your organization already trusts — GitHub, Google Docs, Discord, Slack, Notion — as dead-drop resolvers for commands and exfiltrated data. The C2 traffic blends into legitimate HTTPS to known-good domains. Firewall rules and proxy allowlists that permit GitHub traffic also permit the C2.
C2 Without Owning C2: When Attackers Use Your Trusted Services — dead drop C2, reputation laundering, living-off-trusted-services technique breakdown, and why traditional egress filtering fails against it.
Telegram Bot API as C2
Telegram’s Bot API provides a fully functional, encrypted, authenticated command-and-control channel using Telegram’s own infrastructure. The endpoint is api.telegram.org — a domain most organizations either allowlist outright or cannot block without disrupting legitimate business use.
Telegram Bot API as C2: Detection for Blue Teams — how attackers use the Bot API for C2, detection through DNS query analysis and proxy logs, and network controls.
Attacker Mindset: The Full Picture
Individual techniques are more useful when understood in context. The shift toward evasion-first tradecraft reflects a broader strategic change: attackers now optimize for persistence and stealth over speed. The goal is living in an environment for weeks before detection — or indefinitely.
The Digital Parasite: How Attacker Tradecraft Evolved in 2026 — how 80% of top MITRE ATT&CK techniques now focus on evasion and persistence, and what that means for detection strategy.
Where to Start on Defense
The techniques above share a common defensive gap: they defeat signature-based detection by design. The effective detection layer for all of them is behavioral:
- Sysmon — process creation, command lines, driver loads, file streams, network connections
- SIEM behavioral correlation — sequences of events across time, not individual alerts
- Network visibility — proxy inspection to catch LOLBin outbound connections and C2 over trusted services
- EDR with kernel-level telemetry — catches BYOVD during the driver load window before EDR is disabled
For hands-on detection work: Windows Event Log Security Analysis and Wazuh for Threat Hunting cover the instrumentation layer that makes behavioral detection possible.
For adversary simulation to test these detections: Starkiller & Empire: Red Team and Blue Team Guide and Purple Teaming with Budget-Free Tools.