To avoid detection, evasive malware use hundreds of methods like:
- Sleeping for some time or doing useless work until the sandbox times out.
- Detecting the sandbox and launching no attack.
- Launching targeted attacks only on intended victim computers identified by (e.g) their IP address or user names.
- Detecting user input, often not present in a sandbox.
In all cases above, the evasive malware appears harmless on the sandbox, but launches an attack on the endpoint.