Sleep Obfuscation

C2 beacons spend most of their time sleeping. During sleep, the shellcode sits as a recognisable RX region in memory — trivially caught by any memory scanner. Sleep obfuscation (Ekko ROP-chain timer, FOLIAGE NtWait APC, Nightcap heap walk) encrypts the beacon's memory during the sleep period, defeating pattern-match scanners. How defenders find sleeping-but-encrypted beacons anyway.