Not in the article but the login for the breached account was in an infostealer dump, the engineer installed a Robolox mod his home PC.. which he also used for work.

@GossiTheDog is Mythos going to be the new go to excuse, after no one believed that they were hit by an "Advanced Attacker"?

@oct0xor that's what caused v1 to be detected. In v2 I tried my best to refactor it until it stopped detecting and have never used it for a PoC since. Still, something must have decided to use it, or Defender is just detecting the use of a native API which happens to be used by malware somewhere.

Fucks sake, Defender is now signaturing on builds of my v2 version of NtObjectManager, god knows why. I fucking hate MS and Defender especially.