Malware Detection Gap Analysis

We deployed 3,133 code-rewritten malware samples across 6 AV products. To validate, we rescanned 803 original/rewritten pairs on VirusTotal (53 vendors). After rewriting, each sample is recognized by fewer vendors and each vendor catches fewer samples. Click any chart or tab to explore details.

81.2%

Our Detection Rate

samples caught by ≥1 of 6 AV tools

100%

VT Detection Rate

samples caught by ≥1 of 53 vendors

76.7% → 58.5%

Vendor Recognition

avg % of vendors flagging each sample

3,133

Samples Deployed

803 validated on VT

At a Glance

How code rewriting reduces detection — from vendor recognition to per-vendor sample detection. Click any chart to enlarge.

Detection Rate Drop

Original vs rewritten detection for key vendors

Our Detection Layers

Static, prompt dynamic, and lazy dynamic per AV

Most Affected Categories

Drop in avg vendor recognition by malware type

Vendor Drops by Category

Per-category detection drops for key vendors

Deep Dive

Select a tab to explore our platform results, VT validation data, per-category breakdowns, and behavioral analysis.

VirusTotal Validates Detection Gaps

803 rewritten samples were rescanned on VirusTotal. On average, each original sample was flagged by 76.7% of vendors (~41 of 53). After rewriting, only 58.5% (~31 vendors) — confirming that code rewriting reduces how broadly each sample is recognized across the industry.

VT Summary

18.2pp Coverage Drop

Sample Pairs Analyzed803

Common Vendors Tested53

Avg Vendor Coverage (Original)76.7%

Avg Vendor Coverage (Rewritten)58.5%

Relative Coverage Drop23.8%

Vendor Impact

41 Affected

Vendors detecting fewer samples41 / 53

Vendors with >50pp sample drop8

Vendors detecting more samples9

Unchanged (mobile-only)3

Most resilientCrowdStrike

Top 20 VT Vendors: % of 803 Samples Detected

Rank	VT Vendor	Orig. Detection?% of 803 original samples this vendor detected as malicious.	Rew. Detection?% of 803 rewritten samples this vendor detected as malicious.	Abs. Drop?Absolute drop in this vendor's sample detection rate after rewriting.	Evaded	Status

Multi-Layered Detection Architecture

Rewritten malware is deployed across 6 AV environments with three detection stages. Combined, at least one tool catches 81.2% of all samples.

Detection Stages

Static(blocked before execution)

Prompt Dynamic(killed at startup)

Lazy Dynamic(behavioral divergence)

AV Product	Tests	Static?AV blocked process creation before the malware could execute.	Prompt Dyn.?AV killed the malware immediately at startup, resulting in an empty API trace.	Lazy Dyn.?AV allowed execution but API behavior diverged from reference (similarity below threshold).	Overall	Verdict

Aggregate Statistics

7,636 Tests

Total Samples Deployed3,132

Total VM-Sample Tests7,636

Static Detections2,227 (29.2%)

Dynamic Detections1,415 (18.5%)

Overall Detection Rate47.7%

Combined (any tool catches)81.2%

Per-Sample Distribution

3,132 Samples

Detected by ALL VMs (100%)1,697 (54.2%)

Detected by 76-99% of VMs14 (0.4%)

Detected by 51-75%11 (0.4%)

Detected by 26-50%259 (8.3%)

Detected by 1-25%560 (17.9%)

Evaded ALL VMs (0%)588 (18.8%)

Detection Method Breakdown by AV Product

Detection Drop by Malware Category

Samples classified via majority voting across 50+ VT vendor labels. Values show average vendor coverage: for each sample in a category, what % of 53 VT vendors flag it. Ransomware and viruses see the biggest coverage drops after rewriting — confirmed across individual major vendors below.

Malware Type	Count	Avg Orig.?Average % of 53 VT vendors flagging each original sample of this type.	Avg Rew.?Average % of 53 VT vendors flagging each rewritten sample of this type.	Drop?Drop in average vendor coverage after code rewriting. Higher = this category becomes much less recognizable.	Rel. Drop	Impact Level

Most Evasive Families

Biggest drops

Filecoder (7 samples)88.2% → 43.8%

Leouncia (7)84.0% → 41.1%

Ransom (5)87.1% → 47.0%

Virut (26)69.1% → 29.4%

Rodecap (12)80.3% → 47.0%

Hematite (79)69.1% → 38.5%

Most Resilient Families

Most resilient

Plite (10)74.8% → 71.0%

Darkkomet (39)83.6% → 78.3%

Bladabindi (6)67.7% → 61.6%

Lethic (22)77.7% → 71.0%

Ppatre (8)79.5% → 69.3%

Salgorea (54)80.1% → 69.0%

Avg Vendor Coverage Before vs After Rewriting (by Category)

Per-Vendor Breakdown by Category

Each cell shows the drop (in pp) in what % of samples this vendor detects, broken down by malware type. This confirms the category-level trends above hold at the individual vendor level.

Vendor	Overall Drop	Trojan?Drop in % of Trojan samples this vendor detects after rewriting.	Virus?Drop in % of Virus/file-infector samples this vendor detects.	Ransomware?Drop in % of Ransomware samples detected. Only 4 samples.	PUA/PUP?Drop in % of PUA/PUP samples this vendor detects.	Adware?Drop in % of Adware samples this vendor detects.

Sample Detection Drop by Category — Major Vendors

The Behavioral Blind Spot

API tracing reveals why malware evades detection. Process hollowing and app-compatibility abuse are invisible to static scans but clearly visible in our runtime analysis.

Behavioral Sample Breakdown

138 Traced

Full evasion (evaded ALL tools)27 (19.6%)

Partial evasion76 (55.1%)

Fully detected35 (25.4%)

API Complexity Comparison

Median Stats

Evading: API calls~19,325

Evading: unique APIs~599

Detected: API calls~48,925

Detected: unique APIs~687

Evasion-Only Techniques

These APIs appear exclusively in samples that evaded all detection and are never seen in caught samples. Static signature scans fundamentally cannot detect these runtime behaviors.

PROCESS INJECTION / HOLLOWING

ZwWriteVirtualMemory (74.1%) ZwResumeThread (66.7%) ZwWow64AllocateVirtualMemory64 (55.6%) ZwWow64WriteVirtualMemory64 (55.6%)

PROCESS CREATION CHAIN

BasepConstructSxsCreateProcessMessage (55.6%) BaseCheckElevation (55.6%) BasepGetAppCompatData (55.6%) BasepIsProcessAllowed (55.6%)

APP COMPATIBILITY ABUSE

SdbInitDatabaseEx (55.6%) SdbPackAppCompatData (55.6%) ApphelpCreateAppcompatData (55.6%) SdbFindFirstNamedTag (55.6%) SdbReleaseDatabase (55.6%)

Detection-Only Behaviors

These APIs appear only in caught samples. They represent visible, "loud" behaviors that static and heuristic engines flag easily — but they are not the sophisticated threats.

GUI / WINDOW CREATION (HIGHLY VISIBLE)

CreateWindowExA (42.9%) SendMessageA (42.9%) LoadIconA (42.9%) LoadStringA (42.9%) SetWindowLongA (40.0%)

GRAPHICS / RENDERING

StretchDIBits (40.0%) CreateFontIndirectA (40.0%) GetDIBColorTable (40.0%) EnumDisplayMonitors (40.0%)

REGISTRY MODIFICATION

RegCreateKeyExA (14.3%) RegSetValueExA (14.3%) RegDeleteValueA (14.3%) ZwDeleteValueKey (14.3%)

Evasion-Enriched vs Detection-Enriched APIs

Summary of Key Insights

The most important takeaways from our analysis of 3,133 rewritten malware samples across 53 VT vendors and our 6-AV platform.

81.2% Combined Detection on Rewritten Malware

Our multi-layered 6-AV platform catches 81.2% of code-rewritten samples, with at least one tool detecting each. Norton AV alone achieves 96.2%, with 94.5% caught statically — showing that multi-layer defense is highly effective.

VT Confirms: Code Rewriting Breaks Detection

41 of 53 VT vendors (77%) detect fewer samples after code rewriting. Some drop catastrophically: Paloalto detects 82.1% → 7.3% of samples, ESET-NOD32 96.4% → 31.9%. This validates that the detection gaps we identify are real and industry-wide.

Ransomware: Highest Vendor Coverage Drop (31.1pp)

Ransomware samples go from being flagged by 84.5% of vendors to only 53.4% after rewriting — the largest drop of any category. Encryption logic can be restructured without changing functionality, breaking signature matching across the industry.

Process Hollowing: Key Evasion Technique

74.1% of fully-evading samples use ZwWriteVirtualMemory and 66.7% use ZwResumeThread — classic process hollowing. This runtime technique is invisible to static signature scans, making it the primary evasion mechanism we observe.

Stealthy Malware Evades; "Loud" Malware Gets Caught

GUI-creating APIs (CreateWindowExA, SendMessageA) appear in 43% of detected samples but 0% of evaders. Malware that creates visible UI elements is easily flagged, while stealthy, process-injection-based samples slip through.

App Compatibility Framework as Disguise

55.6% of evasion samples abuse apphelp.dll to disguise process creation as legitimate compatibility operations. This technique is a significant industry blind spot — our runtime behavioral analysis is one of the few tools that reveals it.

File Infectors: ~30pp Vendor Coverage Drop

136 virus/file-infector samples (Virut, Hematite, Rodecap) go from ~72% to ~42% average vendor coverage. Individual vendors confirm: ESET-NOD32 drops 79pp on viruses, DrWeb drops 80pp. Polymorphism amplified by code rewriting breaks signatures across the board.

Per-Vendor Drops Vary Wildly by Category

ESET-NOD32 detects 100% fewer Ransomware samples but only 59.8pp fewer Trojan samples after rewriting. Paloalto collapses across all types. CrowdStrike stays resilient everywhere. Category-level analysis reveals where each vendor's signatures break down.