Reflective Code Loading

Reflective Code Loading is an advanced defense evasion technique employed during the Deepening Control phase of an attack, where malicious code is loaded directly into the memory space of a process without writing to disk or using standard API loading mechanisms. This technique bypasses traditional security controls by injecting executable code into a process's memory and executing it by manipulating memory protection attributes and redirecting the execution flow, all while avoiding creating filesystem artifacts that would trigger antivirus or EDR detection. Attackers leverage this approach to dynamically load malicious libraries, shellcode, or complete executables into legitimate processes, making detection particularly difficult as the loaded code exists only in memory and often utilizes evasion techniques such as in-memory encryption/decryption, custom PE loaders, and manipulation of memory page permissions. This technique is frequently observed in sophisticated malware frameworks, APT campaigns, and post-exploitation tools where persistent evasion of security solutions is critical for maintaining prolonged access to compromised systems.