Platinum malware using Hot Patching since 2009
A group that Microsoft researchers call Platinum has been leveraging a technique known as hot patching to hide it's malware from security products. This group has been effectively using this technique since 2009, and has possibly infected many Asian government, defence and intelligence agencies.
The group has traditionally used spear phishing to target specific organizations and individuals as its main attack vector, following it with exploits for zero-day vulnerabilities to install custom malware. To remain stealth, it launches only a few attack campaigns each year. The custom malware used by this group has self-deletion capabilities and is designed to hide in target's peak traffic, by only operating during target's business hours.
Hotpatching is an obscure feature that was first introduced in Windows Server 2003 and allows dynamic update of system components without the need for a system restart. Hotpatching was removed in Windows 8 and later versions, because it was rarely used. During the 12-year support life of Windows Server 2003, only 10 patches used this technique. The potential use of hotpatching as a stealth way to inject malicious code into running processes was described by security researcher Alex Ionescu at the SyScan security conference in 2013. And it is his technique that the Platinum group uses.