I've used nearly the same code for years with a trampoline function (JMP instruction instead of simply writing the code right there), so not too sure about it being a new technique.
In my opinion, CreateRemoteThread is the function that usually triggers AVs and injecting code into processes is the suspicious part.
No comments yet.