{ "id": "6427634e-2dec-47fd-8e45-032864000392", "created_at": "2026-04-06T00:21:26.196982Z", "updated_at": "2026-04-10T03:32:43.483643Z", "deleted_at": null, "sha1_hash": "12ddded018fdbc6e44aa3f309673b51eac04fd42", "title": "New 'Early Bird' Code Injection Technique Discovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72619, "plain_text": "New 'Early Bird' Code Injection Technique Discovered\r\nBy sharon\r\nPublished: 2018-04-11 · Archived: 2026-04-05 16:32:15 UTC\r\nThis injection technique allows the injected code to run before the entry point of the main thread\r\nof the process, thereby allowing to avoid detection by anti-malware products’ hooks.\r\nCode injection is commonly used by malware to evade detection by injecting a malicious code into a legitimate\r\nprocess. This way the legitimate process serves as camouflage so all anti-malware tools can see running is the\r\nlegitimate process and thus obfuscates the malicious code execution.\r\nWe researched a code injection technique that appeared in malware samples at the Cyberbit malware research lab.\r\nIt is a simple yet powerful code injection technique. Its stealth allows execution of malicious code before the entry\r\npoint of the main thread of a process, hence – it can bypass security product hooks if they are not placed before\r\nthe main thread has its execution resumed. But before the execution of the code of that thread, the APC executes.\r\nClick to watch code injection video\r\nWe saw this technique used by various malware. Among them – the “TurnedUp” backdoor written by APT33 – An\r\nIranian hackers group, A variant of the notorious “Carberp” banking malware and by the DorkBot malware.\r\nThe malware code injection flow works as follows:\r\n1. Create a suspended process (most likely to be a legitimate windows process)\r\n2. Allocate and write malicious code into that process\r\n3. Queue an asynchronous procedure call (APC) to that process\r\n4. Resume the main thread of the process to execute the APC\r\nHooks are code sections that are inserted by legitimate anti-malware products when a process starts running. They\r\nare placed on specific Windows API calls. The goal of the hooks is to monitor API calls with their parameters to\r\nfind malicious calls or call patterns.\r\nIn this post, we explain how APC execution flow works within a resume of a suspended process.\r\nThis  code injection technique can be drawn like this:\r\ncode injection diagram\r\nSynopsys of Technical Analysis of Early Bird  Code Injection Technique\r\nWhile analyzing samples at our lab, we came across a very interesting malware sample (SHA256:\r\n9173b5a1c2ca928dfa821fb1502470c7f13b66ac2a1638361fda141b4547b792)\r\nhttps://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/\r\nPage 1 of 5\n\nIt starts with the .net sample deobfuscating itself, then performing process hollowing and filling the hollowed\r\nprocess with a native Windows image. The native Windows image injects into the explorer.exe process. The\r\npayload inside explorer.exe creates a suspended process – svchost.exe and injects into it. The sample consists of\r\nthree different injection methods (We consider process hollowing to be an injection technique as well). The\r\nSHA256 of the payload inside svchost.exe is\r\nc54b92a86c9051172954fd64573dd1b9a5e950d3ebc581d02c8213c01bd6bf14. As of 20 March 2018, this payload\r\nwas signed by only 29 out of 62 anti-malware vendors. The original sample, which dates back to 2014, was signed\r\nby 47 out of 62 vendors.\r\nWhile the process hollowing and the second injection into explorer.exe are trivial, the 3rd technique caught our\r\nattention. Let’s have a look at the debugger before the injection to svchost.exe happens.\r\nFigure 1 – A suspended svchost.exe process is created\r\nEarly Bird Code Injection - suspended svchost.exe process is created\r\nAt this point the malware creates a suspended svchost.exe process. Common legitimate Windows processes are\r\namong malwares’ favorite choices. svchost.exe is a Windows process designated to host services.\r\nAfter creating the process, the malware allocates memory in it and writes a code in the allocated memory region.\r\nTo execute this code, it calls NtQueueApcThread to queue an asynchronous procedure call (APC) on the main\r\nthread of svchost.exe. Next, it calls NtResumeThread to decrease the suspend count of that thread to zero,\r\nconsequently the main thread of svchost.exe will resume execution – if this thread in alertable state, the APC will\r\nexecute first.\r\nFigure 2 – Queuing an APC to svchost.exe main thread and resuming the thread\r\nEarly Bird Code Injection - Queuing an APC to svchost.exe main thread and resuming the thread\r\nWhen queuing an APC to a thread, the thread must be in an alertable state in order for that APC to execute.\r\nAccording to the Microsoft documentation:\r\n“When a user-mode APC is queued, the thread to which it is queued is not directed to call the APC function unless\r\nit is in an alertable state. A thread enters an alertable state when it calls the SleepEx, SignalObjectAndWait,\r\nMsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, or WaitForSingleObjectEx function”\r\nBut the thread has not even started its execution since the process was created in a suspended state. How does the\r\nmalware “know” that this thread will be alertable at some point? Does this method work exclusively on\r\nsvchost.exe or will it always work when a process is created in a suspended state?\r\nTo check this out, we patched the malware so it will inject to other processes of our choice and witnessed it also\r\nworking with various other processes. We went further to research what is going on when a main thread is\r\nresumed after its process is created in a suspended state.\r\nBy putting a breakpoint on the call to NtQueueApcThread, we can see the APC address on svchost.exe is at\r\n0x00062f5b. We attached a debugger to this process and put a breakpoint on that address. Here is what the\r\nsvchost.exe process looks like at 0x000625fb (start address of the APC).\r\nhttps://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/\r\nPage 2 of 5\n\nFigure 3 – The APC starts execution at svchost.exe\r\nEarly Bird Code Injection - The APC starts execution at svchost.exe\r\nLet’s look at the call stack (figure 4) after resuming the thread. Our breakpoint on 0x00062f5b was hit as\r\nexpected:\r\nFigure 4 – The call stack of svchost.exe\r\nEarly Bird Code Injection - The call stack of svchost.exe\r\nWe first have to note that every user-mode thread begins its execution at the LdrInitializeThunk function. When\r\nwe look at the bottom of the call stack we see that LdrpInitialize, which is called from LdrInitializeThunk (figure\r\n5), was called. We trace into LdrpInitialize and see that it jumps to the function _LdrpInitialize (figure 6). Inside\r\n_LdrpInitialize, we see a call to NtTestAlert (figure 7) which is a function responsible for checking if there is an\r\nAPC queued to the current thread – if there is one – it notifies the kernel. Before returning to user-mode, the\r\nkernel prepares the user-mode thread to jump to KiUserApcDispatcher which will execute the malicious code in\r\nour case.\r\nFigure 5 – 0x76e539c1 led to an address after the call from LdrpInitialize\r\nEarly Bird Code Injection - 0x76e539c1 led to an address after the call from LdrpInitialize\r\nFigure 6 – Inside LdrpInitialize there is a jump to _LdrpInitialize\r\nEarly Bird Code Injection - Inside LdrpInitialize there is a jump to _LdrpInitialize\r\nFigure 7 – Inside _LdrpInitialize there is a call to NtTestAlert\r\nEarly Bird Code Injection - Inside _LdrpInitialize there is a call to NtTestAlert\r\nWe can see evidence that this APC was executed by KiUserApcDispatcher (figure 8), by looking at the call stack\r\nagain, and see that the return address of 0x00062f5b is 0x76e36f9d – right after the call from\r\nKiUserApcDispatcher.\r\nFigure 8 – KiUserApcDispatcher executed the APC\r\nEarly Bird Code Injection - KiUserApcDispatcher executed the APC\r\nTo sum it up, the execution flow that led to the execution of the APC is:\r\nLdrInitializeThunk → LdrpInitialize → _LdrpInitialize → NtTestAlert → KiUserApcDispatcher\r\nAn important note about this injection method is that it loads the malicious code in a very early stage of thread\r\ninitialization, before many security products place their hooks – which allows the malware to perform its\r\nmalicious actions without being detected.\r\nIn the wild\r\nThis technique was seen in other samples in our lab (SHA 256):\r\nhttps://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/\r\nPage 3 of 5\n\n165c6f0b229ef3c752bb727b4ea99d2b1f8074bbb45125fbd7d887cba44e5fa8\r\n368b09f790860e6bb475b684258ef215193e6f4e91326d73fd3ab3f240aedddb\r\na82c9123c12957ef853f22cbdf6656194956620d486a4b37f5d2767f8d33dc4d\r\nd17dce48fbe81eddf296466c7c5bb9e22c39183ee9828c1777015c1652919c30\r\n5e4a563df904b1981d610e772effcb005a2fd9f40e569b65314cef37ba0cf0c7\r\nThe last two samples in this list are the most recent, dated from 31 October 2017. These samples are the\r\n“TurnedUp” backdoor written by the Iranian hackers group APT33. Figure 9 is a screenshot from the last sample\r\nwhich shows the use of this technique in an injection to rundll32.exe – a legitimate Windows process used to run\r\nexported functions from dll files.\r\nFigure 9 – A suspended rundll32.exe process is created, followed by injection using QueueUserApc\r\nEarly Bird Code Injection - A suspended rundll32.exe process is created, followed by injection using\r\nQueueUserApc\r\nIn this sample, the APC is used to maintain persistence on the system. In figure 10 you can see where the APC\r\nstarts (0x90000) inside rundll32.exe. Going just a bit further reveals that the malware will write a key to the\r\nWindows registry to maintain persistence by executing ShellExecuteA with cmd and a specific command (figure\r\n11). The cmd command is:\r\n“/c REG ADD HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v\r\nRESTART_STICKY_NOTESS /f /t REG_SZ /d\r\n\\”C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\StikyNote.exe\\””\\\r\nIn this case, if a hook on ShellExecuteA was placed after the APC was called, this ‘Early Bird’ call and its\r\nparameters will sneak by before the hook, hence, failing to detect an important malware behavior.\r\nFigure 10 – APC starts execution at rundll32.exe\r\nEarly Bird Code Injection - APC starts execution at rundll32.exe\r\nFigure 11 – The call to ShellExecuteA\r\nEarly Bird Code Injection - The call to ShellExecuteA\r\nThe third sample in the list (a82c9123c12957ef853f22cbdf6656194956620d486a4b37f5d2767f8d33dc4d) dates\r\nback to 2011 and is variant D of the notorious Carberp malware.\r\nCyberbit provides an Endpoint Detection and Response solution (EDR) which successfully detects the ‘Early\r\nBird’ injection technique. To learn more visit the Cyberbit EDR page.\r\nAnalysis of ‘Early Bird’ injection automatically created by Cyberbit EDR\r\nlinkedin-In-Stream_Wide___fixed_turnedup_graph2-1024x540\r\nhttps://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/\r\nPage 4 of 5\n\nHod Gavriel is a malware analyst at Cyberbit.\r\nBoris Erbesfeld is a principal software engineer at Cyberbit.\r\nSource: https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/\r\nhttps://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/" ], "report_names": [ "new-early-bird-code-injection-technique-discovered" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434886, "ts_updated_at": 1775791963, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12ddded018fdbc6e44aa3f309673b51eac04fd42.pdf", "text": "https://archive.orkl.eu/12ddded018fdbc6e44aa3f309673b51eac04fd42.txt", "img": "https://archive.orkl.eu/12ddded018fdbc6e44aa3f309673b51eac04fd42.jpg" } }