Sandbox evasion techniques allow malware to detect and avoid execution in analysis sandboxes — sleeping for extended periods, checking for VMs, requiring mouse movement, detecting sandbox artifacts.
Sophisticated malware detects sandbox environments and remains dormant. Defenses: use stealthier sandboxes, extend analysis time, emulate human interaction. Some malware only detonates in specific environments (domain-joined, specific locale).