Bulwark: Anatomy of EDR/AV Redefines Malware Evasion
In 2025, a tool named Bulwark began circulating on underground markets, promising complete invisibility for Windows executables. Marketed as a legitimate “protection” solution, it caught the attention of SOCRadar researchers, who conducted a detailed technical analysis to uncover its real capabilities.
The findings revealed that Bulwark is not a harmless wrapper, it is designed to bypass antivirus and EDR systems, giving attackers more time to operate before being detected.
This blog summarizes SOCRadar’s key discoveries from the Bulwark whitepaper, exploring how the tool works, how effective it is, and what it means for defenders.

Full analysis available in the SOCRadar Bulwark whitepaper.
What is Bulwark?
Bulwark is promoted as a tool that “protects” Windows applications from reverse engineering and antivirus detection. On the surface, this might sound similar to commercial packers used by legitimate developers to safeguard intellectual property. However, SOCRadar’s analysis revealed that Bulwark’s true design and market positioning tell a different story.
Rather than targeting software vendors or security researchers, Bulwark is heavily advertised in underground cybercrime forums, especially on database[.]forum, a platform known for distributing infostealers, loaders, and bypass utilities. There, Bulwark is not sold as a defensive technology but as a weaponized evasion framework, allowing malicious actors to conceal payloads such as stealers, RATs, and loaders under the guise of “protected executables.”

Bulwark’s alleged capabilities
The tool’s appeal lies in its simplicity. With only a few clicks, users can wrap any binary and instantly gain multiple evasion layers: encryption, polymorphism, anti-analysis, and optional persistence. No advanced coding or malware development skills are required. This accessibility has turned Bulwark into a commercial entry point for less experienced threat actors, allowing them to deploy malware that can bypass traditional antivirus solutions with surprising efficiency.
From an ecosystem perspective, Bulwark represents a larger shift in how cybercrime services are structured and sold. Like many “as-a-service” offerings in the underground economy, it follows a subscription-based model, often with tiers granting access to additional modules such as AMSI or ETW bypassing, or startup persistence. The developers behind Bulwark also maintain a Telegram channel for updates, technical support, and affiliate marketing, mirroring the customer care experience of legitimate software vendors.

Alleged Bulwark’s system performance metrics
The growing adoption of tools like Bulwark matters for defenders because it blurs the line between low-skill and high-skill attackers. In the past, complex obfuscation and runtime manipulation techniques required expertise. Today, they are commoditized, packaged, and sold in user-friendly dashboards that anyone can operate.
In other words, Bulwark does not just hide malware. It democratizes evasion, allowing threat actors of all levels to weaponize legitimate development concepts for malicious ends. This evolution challenges defenders to rethink detection strategies, focusing less on file signatures and more on behavioral and contextual Indicators of Compromise.
How Does Bulwark Achieve Evasion?
SOCRadar’s analysis reveals that Bulwark uses a multi-layered protection process designed to evade both antivirus and EDR detection. Each “protected” build applies encryption and polymorphism so that every generated sample appears unique, preventing reliable signature matching.
The tool integrates AMSI and ETW bypass modules to disable native Windows monitoring and stop real-time scanning of scripts and memory operations. It also includes anti-VM and anti-sandbox mechanisms, detecting analysis environments and refusing to run under controlled conditions. This allows the payload to remain dormant until executed on a real target system.
In addition, Bulwark offers process injection and persistence options, enabling the packed file to load itself into legitimate processes or relaunch after reboot. All these features can be toggled directly from its graphical builder, giving the operator full control without writing a single line of code.

Header information of the file before Bulwark

Header information of the file after Bulwark
Once executed, the wrapper decrypts the original payload in memory instead of writing it to disk. This runtime-only approach makes static detection almost impossible and delays behavioral alerts, giving attackers valuable time to operate undetected.
Can Bulwark really defeat modern defenses?
SOCRadar’s testing shows that Bulwark can bypass some antivirus products during initial execution but struggles against advanced behavior-based detection. In controlled lab tests, researchers packed a known malware sample with Bulwark and executed it across several popular security solutions.
Microsoft Defender and Bitdefender failed to detect the protected sample at launch, while Avast/AVG blocked it immediately. SentinelOne allowed the process to run but later raised alerts after detecting suspicious activity such as keylogging and process injection.
These results confirm that Bulwark can delay detection, especially during the delivery phase, but it cannot completely avoid exposure once the malware begins interacting with the system. The tool hides static indicators effectively but cannot disguise behavior that violates endpoint security rules.

After performing a desktop scan, Windows Defender is not able to determine any threat, so it does not see anything harmful statically in the binary
For defenders, this highlights a crucial point: static scanning alone is no longer enough. Tools like Bulwark exploit the gap between initial execution and behavioral analysis. Systems that rely only on file signatures may fail to detect the threat in time, while modern EDRs that monitor runtime actions still stand a strong chance of catching the payload.
What ecosystem supports Bulwark?
Bulwark does not operate in isolation. SOCRadar’s investigation shows that it is part of a larger underground ecosystem that connects packers, stealers, loaders, and testing services. These interlinked tools create a full supply chain for cybercrime, similar to how legitimate software companies manage development and delivery.
Within this network, Bulwark frequently appears alongside Aura Stealer, Protection Club, and AV-Lab.
- Aura Stealer is an infostealer that collects credentials and browser data through a Telegram-based control panel.
- Protection Club sells loaders and other bypass tools that deliver malicious payloads.
- AV-Lab offers a multi-engine testing service that helps actors verify whether their samples are detected by common antivirus products.
Together, these services form a malware-as-a-service (MaaS) model where each product covers one stage of an attack: creation, obfuscation, testing, and distribution. This structure allows even low-skilled actors to launch advanced campaigns using ready-made tools and technical support from private Telegram channels.
SOCRadar researchers also observed cross-promotion between these brands inside dark web communities. Bulwark’s developers advertise integration with other tools and share updates through multiple channels, reinforcing its position as part of a coordinated underground business model.

SOCRadar observed cross-promotion between Bulwark and related services across dark web.
This collaboration highlights a growing professionalization of the threat landscape. Each service specializes in a different part of the attack chain, allowing criminals to operate faster, scale wider, and stay hidden longer.
What can defenders learn from SOCRadar’s findings?
Bulwark demonstrates a clear trend in the cybercrime ecosystem: evasion has become a service. Attackers no longer need to build custom loaders or packers. Instead, they can subscribe to pre-made solutions that automate encryption, obfuscation, and detection bypassing. This change lowers the entry barrier and increases the number of capable threat actors operating in the wild.
SOCRadar’s findings show that traditional security layers are not enough on their own. Static signatures and file hashes fail when malware is constantly repacked and re-encrypted. Instead, defenders must focus on behavioral and contextual visibility across endpoints, networks, and identities.
To stay ahead of tools like Bulwark, SOCRadar recommends:
- Strengthening behavior-based detection and correlating telemetry from EDR and network sources.
- Monitoring for AMSI and ETW tampering, especially in PowerShell or script-heavy environments.
- Hunting for high-entropy executables or random file names in user-level startup paths.
- Using threat intelligence to block known domains and infrastructure tied to Bulwark and related actors.
These actions help close the visibility gap that commercial packers create. As underground tools evolve, defenders who adapt faster and rely on continuous intelligence will maintain a stronger position against modern evasion tactics.
SOCRadar will continue to monitor the dark web ecosystem and other emerging evasion services to provide timely insights for organizations worldwide.

