SKYWALKER is a fork of VADER with completely independent XOR keys across all components, producing different binary signatures. The research question: if Defender learns to detect one binary set, can an independent set with identical techniques but different signatures remain undetected? And how long does that window last before detection catches up to the technique, not just the signature?
This tests the limits of static signature detection vs behavioural heuristics — a distinction critical for understanding what Defender actually detects.
Every SKYWALKER component has a different XOR key from its VADER equivalent. The same source code, compiled with a different XOR key, produces a completely different byte sequence in the binary. Static signatures against one set do not match the other.
| Component | SKYWALKER Key | VADER Key |
|---|---|---|
| eclipse | 0xBF | 0xD6 |
| beacon | 0xDA | 0xD6 |
| thread_dll | 0xD4 | 0xA2 |
| fetch | 0x88 | — |
| sweep | 0x93 | — |
If VADER is detected but SKYWALKER is not, Defender is operating on static byte signatures — not technique-level behavioural detection. If both are detected simultaneously despite different keys, Defender has developed a behavioural signature for the technique itself — a stronger and more meaningful detection capability. SKYWALKER exists to test which is true.