“According to the research published by Hackmosphere, the technique works by avoiding the conventional execution path where applications call Windows API functions through libraries like kernel32.dll, which then forwards requests to ntdll.dll before making the actual system call to the kernel.”

Additional Information:

https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-1/

https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-2/