Early Bird Code Injection Technique

Early Bird is a new code injection technique that enables malicious users to effectively avoid anti-malware detection. The technique is known to be part of malware which is used by the Iranian group advanced persistent threat (APT) 33.

The technique uses legitimate Windows functions such as svhost.exe to inject the code into an application before the actual process starts and the anti-malware product has started to monitor it.

Anti-malware products have a process called hooking which is designed to detect this type of technique, however Early Bird loads the malicious code in a very early stage of the start process, this is before many anti-malware’s have placed their hooks, so it can go undetected.

Cyberbit provides an Endpoint Detection and Response solution (EDR) which successfully detects the ‘Early Bird’ injection technique. To learn more visit the Cyberbit EDR page.

Affected Platforms

Microsoft Windows – All versions

Cyberbit published a report with the details of the injection process, along with the YouTube video shown above.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: