Avoid known malware signatures and behaviors - Use direct system calls instead of API calls that are hooked by EDR - Implement sleep obfuscation to evade memory scanning - Use legitimate execution methods (reflective loading, process hollowing, module stomping) - Develop custom C2 protocols that ble