EVADING DEFENDER via Classic Code Injection – Using an Undocumented API (RtlCreateUserThread)

New to Maldev? Start with our Maldev 101 foundational series before diving in: https://www.rbtsec.com/blog/category/maldev/ In this video, we walk through a classic Windows process injection technique that still works in 2025. Using Sliver and Havoc beacons in our controlled RBT Labs environment, we demonstrate how the undocumented API RtlCreateUserThread can be used to quietly spawn remote threads, and how this method can still bypass Microsoft Defender when implemented properly. Follow Us: Discord: https://discord.gg/UnHBp9FuGK LinkedIn: https://www.linkedin.com/company/rbtsecurity/ Twitter: https://twitter.com/RBTSecurity Facebook: https://www.facebook.com/RBTSecur1ty/ GitHub: https://github.com/rbtsecurity/ Contact Us: For business inquiries and collaborations, please email us at [email protected] Educational Disclaimer: All content is intended for educational purposes only, to promote ethical hacking and security research. #redteam #malwaredevelopment #windowsinternals #sliver #havoc #offensivesecurity #maldev #rbtsecurity #ethicalhacking