As endpoint defenses hardened, attackers went lower — abusing the mechanics of how programs execute. Running code directly from the stack (rather than from normal executable memory) is one such trick, used to slip past protections that assume code lives where code is supposed to live. Detecting it requires watching execution at a very fine grain.
Malwarebytes Inc.'s US11816203B2, “Stack execution detection in a sandbox environment” (issued November 14, 2023; CPC G06F 21/53 — execution in a protected/sandboxed environment), describes detecting stack execution while a sample runs in a sandbox. Read it at US11816203B2.
Mechanically, the sandbox does not just run the sample and watch its high-level actions — it instruments execution closely enough to notice when code runs from the stack, a strong indicator of exploitation or shellcode. The detonation environment becomes a microscope on execution mechanics, not just a behavioral observation room. Malwarebytes paired this with a companion grant on exception-handler abuse in the sandbox in the same year.
Why this is a business story: Malwarebytes built a brand on catching what mainstream antivirus missed, and depth-of-detection IP like this is what lets a mid-size vendor defend a premium position against the platform giants. As the company evolved its consumer and business lines, this kind of differentiated detection capability is the moat that keeps it relevant in a market consolidating around a few large platforms.
The grounded read: stack-execution detection catches a low-level evasion trick by instrumenting how code runs inside the sandbox. Malwarebytes' 2023 grant names that fine-grained detection — the depth-of-detection edge a focused vendor uses to compete with the platforms.