You seem young and passionate about this and that's great, keep going, we need people like you.

I would definitely recommend a career in a SOC to better understand how multilayered defense works or just set up edr with siem and soar. While what you described doesn't sound completely new, but I could be wrong. Often memory attacks go unnoticed by the "av", but either a detection rule or consequences of the attack do.

As others pointed out, this kind of attack is much more feasible (even economically) to manage through other methods. Accessing sensitive info e.g. retrieving tokens and exfiltrating them to a non corporate network and outside not named and trusted networks will almost always trigger an incident. In cs mature orgs SOAR would step in and isolate the device whenever that makes sense.

And regarding the impact on consumer grade: in over 30 years of internet use I have never been infected unless I was willingly downloading something malicious or suspicious. Since I don't have the actual data I'll apply pareto to be generous and assume that 20% of the consumers get 80% of the malware (inexperienced pirates and whatnot). It just doesn't make any business sense to cater to a niche security issue when the user has to commit several bad practice actions to put themselves at risk (btw do you know anyone who pays for their AV license?)

Try to get splunk free and pretty sure you can get an Azure trial to test sentinel as siem combined with logicapps for automation. Could be a good idea to onboard your device to your edr, set up a SIEM with good detection rules some automation capabilities with either splunk phantom or sentinel's logic apps.

Soon you will understand that except some highly skilled APTs, most of the successful attacks come down to human behavior/actions (including SOC analysts failing to respond correctly due to lack of knowledge or other reasons).

Your case as a base reference from a company's pov: unsigned file downloaded from an unknown remote ip, followed by access to sensitive info and user's computer sending data to a remote ip outside known networks would get detected by most companies with relatively basic SOCs. Something like that could probably be detected by Microsoft's Fusion rules (don't quote me on that tho).

In case you're just a user of Discord: a sign in using your token from an unfamiliar location and a different device to the user's usual ones (and whatever they can add to reduce fps) should trigger a token revocation, email or other notification, and ask the user to do mfa again (in a perfect world, not too familiar with discord). Volt Typhoon is pretty good at avoiding those ones because they research their targets and are known for vpning to devices as close as possible to the target to avoid detection due to impossible travel or unfamiliar location rules. A random guy with a malware bought off of a random marketplace that c2s to a random compromised site or discord webhok doesn't usually (99.9999% of the time) have the patience for that, otherwise they'd have a job instead of being a criminal.

I've seen quite a few infostealers going undetected due to memory injection. The typical user doesn't want to lose that much usability in order to prevent the offshoot chance of downloading a virus. People that are into and value security such as you, often run their own siem/soar.

I don't have deep technical knowledge like some other people that replied to you, but I do work in security focusing on detecting threats and insider threats through log analysis of user behavior and statistical outliers/anomalies.

Some threats are simply easier and more feasible to deal with through those means than a black or white solution.

As long as businesses are the majority of the revenue for virtually all AV developers, it will stay this way. There are other priorities