APT41 has been observed utilizing call stack spoofing techniques to evade detection by EDR and other security software. Call stack spoofing involves constructing a fake call stack that mimics a legitimate call stack, obscuring the true origin of function calls and hindering analysis. This technique was observed in the Dodgebox malware, which was used by APT41 to trick antivirus and EDR software that rely on stack call analysis for detection. The malware retrieves the address of functions, such as NtCreateFile, and manipulates the call stack to hide the true origin of the function call. This technique highlights the evolving tactics used by sophisticated threat actors and emphasizes the need for advanced detection and mitigation strategies to counter these evasive techniques.