June 18, 2026
Introduction
This article provides a deep technical analysis of the malware deployed by the TeamPCP threat actor, primarily through the compromised Telynx NPM package.
In this article, I focused primarily on the TeamPCP malware’s(msbuild.exe) advanced EDR evasion techniques and other bypass mechanisms. The malware stands out for its heavy use of advanced defense evasion methods, including NTDLL unhooking, direct syscalls via the Bouncy Gate technique, ETW patching, and reflective loading using the Donut shellcode. Let’s dive into the details.
EDR Evasion Technique
Microsoft provides many API functions through native DLLs. When a user-mode executable calls an API function, control is transferred through multiple DLL layers before ultimately reaching kernel mode.
For example, when an executable calls CreateFileA from kernel32.dll, the request is forwarded internally to NtCreateFile in NTDLL.dll. The NTDLL.dll contains the syscall instruction that transitions execution into the kernel (ntoskrnl.exe). Since ntoskrnl.exe operates exclusively in kernel mode, user-mode applications cannot call its functions directly.
When an EDR solution is installed on a host, it injects itself into running processes and places hooks on frequently abused functions within NTDLL.dll. These hooks enable the EDR to inspect the parameters passed to the function before forwarding the request to the kernel (commonly referred to as Syscall Trampolines).
Malware authors have traditionally employed several techniques to bypass EDR hooks, including EAT parsing (Hell’s Gate technique) and using custom implementations of GetModuleHandleA to dynamically resolve syscall numbers from NTDLL.dll at runtime.
Another common approach involves creating a clean, unhooked copy of NTDLL.dll from process memory before the EDR injects its hooks. This clean copy is then used to dynamically resolve syscall numbers. This technique is often achieved by creating a new process with its primary thread in a suspended state (Perun’s Fart technique).
TeamPCP Malware – Msbuild.exe
The TeamPCP malware first checks for the presence of EDR hooks in NTDLL.dll. If hooks are detected, it loads a fresh copy of NTDLL.dll directly from disk (instead of using the potentially hooked version in process memory)
(C:\Windows\system32\ntdll.dll).
It uses the CreateFileA API with GENERIC_READ access to read the file from disk and maps the clean NTDLL.dll into memory. After loading the clean NTDLL.dll, the malware extracts the syscall numbers for the required API functions and stores them in memory for use in subsequent operations.
As a result, two versions of NTDLL.dll are loaded into memory. A clean, unhooked copy is loaded into the process address space specifically to extract syscall numbers, while the original hooked version (injected by the EDR) remains in use for actually performing the syscalls.
Let’s review the details below.
After loading the clean NTDLL.dll, the malware uses the Bouncy Gate technique to perform direct syscalls and evade EDR detection. The technique works as follows:
The malware then returns to the hooked version of NTDLL.dll that remains in the process memory. Since EDR solutions typically hook only the most commonly abused API functions in NTDLL.dll, the malware searches for and selects a syscall stub that is not hooked by the EDR. It saves the memory address of this syscall stub for use in subsequent operations.
Instead of calling the hooked APIs directly with all parameters, the malware sets up the parameters on the current stack and invokes the API call using a custom wrapper function.
This wrapper jumps to a code sequence where the syscall number for the specific API function is moved into the EAX register, while the address of a clean syscall stub (previously retrieved from NTDLL.dll) is moved into the R11 register.( Bouncy Gate technique)
This technique ensures that all syscalls are routed back through NTDLL.dll, allowing the malware to bypass EDR hooks while still appearing to use legitimate syscall paths.
Overwrites ETW
Event Tracing for Windows (ETW) is a built-in telemetry mechanism that logs system events to Windows Event Logs. This data provides incident responders with valuable visibility into changes made by malware on the system.
The EtwEventWrite function is responsible for writing events to an active ETW session. Event tracing sessions record these events and forward the logs to the Windows Event Logs.
Without modification, it begins with the instruction mov r11, rsp. The malware patches this function by overwriting the first byte with the opcode 0xC3 (a RET instruction).
This simple patch effectively disables ETW telemetry, preventing security tools from receiving critical events and creating a significant blind spot for defenders and incident responders.
Donut Loader Evasion
The Donut loader implements several well-known user-mode hooks/patching techniques to disable security mechanisms:
AMSI Bypass (Anti-Malware Scan Interface): Loads amsi.dll into memory, then patches the functions AmsiScanBuffer and AmsiScanString with a fake implementation that always returns: S_OK + AMSI_RESULT_CLEAN → Effectively neuters any AMSI-based scanning of the shellcode.
WLDP Bypass (Windows Lockdown Policy / Windows Defender Application Control): Overwrites WldpQueryDynamicCodeTrust and WldpIsClassInApprovedList with dummy functions and allows execution of dynamically generated/untrusted code without triggering policy blocks.
ETW Bypass (Event Tracing for Windows): Patches EtwEventWrite function and prevents security products from receiving telemetry about suspicious activity.
Please check out the below article for a detailed breakdown of the full TeamPCP malware attack chain.
reversing stories.... 