- Fileless malware runs in memory and abuses legitimate tools such as PowerShell or WMI.
- It can steal data, encrypt files, or spy on computers without leaving an obvious trace on disk.
- Effective detection requires monitoring behavior and processes, not just files.
- Defending requires EDR, segmentation, patching, and reducing the use of scripts and macros.
In recent years the fileless malware Fileless malware has become one of the most serious headaches for IT and security teams. We're not talking about the typical virus you download in an attachment and can remove with an antivirus scan, but something much more stealthy that hides within the system's own processes.
This type of threat takes advantage legitimate operating system toolsEspecially on Windows, it can execute malicious code directly into RAM. Because it leaves almost no trace on the disk, it can evade many traditional antivirus programs and remain active long enough to steal information, encrypt files, or maintain backdoors without being detected.
What exactly is fileless malware?
When we talk about fileless malware, we are referring to malicious code that does not depend on a classic executable on disk to function. Instead of being installed like any other program, it relies on components already present in the system (scripts, services, command interpreters, etc.) to load and execute its instructions directly in memory.
From a technical point of view, this malware usually to be injected into processes that are already running or they can be launched using commands that load everything into RAM. This means that, once the computer is turned off or restarted, many variants disappear, but in the meantime they have plenty of time to cause serious damage.
Compared to file-based malware, these threats are lighter, more discreet, and much harder to trackYou won't find a suspicious .exe file on the disk, nor necessarily a malicious installer: the problem lies in what happens within processes that appear to be trusted.
The rise of this approach skyrocketed around 2017, when campaigns began to combine fileless techniques with clicker trojans, advanced adware, and remote access tools (RATs)Today they have been integrated into all kinds of operations: from espionage and APTs to ransomware and cryptomining.
How fileless malware works on the inside
To understand how it works, it's worth remembering that most normal applications are distributed as a file that is written to disk and then loaded into memory when the user runs it. Fileless malware, on the other hand, skips the first step and materializes directly in RAM using mechanisms of the operating system itself.
Many campaigns rely on the idea of "living off the land" (living off the land): the attacker abuses legitimate administrative powers instead of introducing new binaries. On Windows, the prime example is PowerShell, but WMI, mshta, rundll32, VBScript or JScript scripts, and other trusted binaries (LoLBins) are also exploited.
A typical scenario would be: a user opens an Office document with malicious content or clicks on a phishing link; from there a script that invokes PowerShell or another tool to download, decrypt, or inject the code for the next phase into memory. All of this can happen without creating a permanent file on the hard drive.
Another common vector involves taking advantage remote code execution vulnerabilities, such as buffer overflows in browsers, plugins, or server applications. By exploiting the vulnerability, the attacker can directly execute shellcode within the vulnerable process and, from there, load the rest of the components into memory.
Some variants even resort to Windows Registry or scheduled tasks to store scripts or commands that reactivate the attack when the system starts or a user logs in. Even if something is written to the Registry, the main malicious logic continues to run in memory, making it difficult to detect with tools focused solely on the file system.
Infection methods and initial access
The front door is usually quite classic: phishing emails, malicious links, and forged documents They remain the kings of initial access, even though fileless techniques are used underneath. The trick is that throughout the entire chain, every effort is made to minimize any disk footprint.
In many incidents they are used Microsoft Office documents with macros When activated, these macros call PowerShell or WMI to download and execute the next stage of the attack in memory. Even without macros, attackers exploit vulnerabilities in Word, Excel, PDF readers or the scripting engine itself to achieve code execution.
Another approach involves directly leveraging seemingly harmless executables that the user receives via email or download from the web. This executable can extract a malicious module and load it into memory using techniques such as reflection in .NET, without actually saving it to disk as a separate file.
There are also campaigns targeting web servers or applications exposed to the Internet, where the vulnerability is used to deploy webshells with fileless componentsA recent example is the use of Godzilla and similar tools, in which malicious code travels within HTTP requests and is injected directly into memory on the compromised server.
Finally, attackers frequently resort to stolen credentialsIf they obtain the username and password of an administrator or a privileged account, they can log in via RDP or other channels and manually launch PowerShell scripts, WMI commands, or administrative tools that load the malware into memory without leaving any new executables on the system.
Specific techniques used by fileless malware
One of the keys to these attacks is the reuse of Windows native tools as a vehicle for their scripts. This causes malicious activity to blend in with normal administrative tasks, complicating analysis and response.
Among the most common techniques we find the use of PowerShell as an embedded code launcher directly from the command line. For example, an obfuscated script is passed as a parameter, the execution policy is disabled, the window is hidden, and a payload is downloaded directly into memory, all without leaving a .ps1 file or any suspicious executable visible.
Another very popular tactic is to store malicious scripts in the Windows Management Instrumentation (WMI) subscriptionsEvery so often, WMI triggers the script, which can execute code from memory, connect to command and control servers, or launch new stages of the infection.
Similarly, many groups use the Windows Registry and Task Scheduler as a refuge for their scripts and commands. Instead of placing an executable in the startup folder, they define startup keys or scheduled tasks that run PowerShell, mshta, or rundll32 scripts with embedded or on-the-fly code.
Techniques are also seen in reflection in .NETwhere a lightweight executable contains encrypted or compressed assemblies that are loaded directly into memory using Reflection.Load, without ever being written as .dll files to disk. This allows for the deployment of very sophisticated Trojans within a single, seemingly normal process.
What can a fileless attack do?
Despite its name, a fileless attack is not limited in its impact. In fact, it can perform the same functions as traditional malware: information theft, data encryption, lateral movement, espionage, cryptocurrency mining, or installation of permanent backdoors.
Many fileless campaigns behave like credential thiefThis involves capturing passwords, session tokens, or authentication hashes from the memory of sensitive processes. This makes it easier to escalate privileges, compromise more systems, and maintain prolonged access without resorting to additional binaries.
Others focus on fileless ransomwarewhere part of the encryption and communication logic is executed directly in memory. Although a disk component may appear at some point to manipulate a large number of files, the initial loading and control of the attack are done with fileless techniques to avoid early detection.
Attackers can also install rootkits or advanced RATs Once established, these tools use fileless channels to receive commands, move across the network, and update modules. Because they are integrated into system processes or critical services, these tools are particularly difficult to eradicate.
On the economic front, the impact translates into data loss, service interruptions, regulatory fines, and reputational damageSince these intrusions often go undetected for months, the volume of exfiltrated information and the scope of the breach can be enormous.
Phases of a fileless malware attack
Although the technical aspects are different, the lifecycle of a fileless attack is quite similar to that of any advanced intrusion. What changes are the mechanisms used in each phase and the way they camouflage themselves.
in the stage of initial accessThe attacker needs an initial foothold: a click on a phishing link, the opening of a document containing macros, the exploitation of a vulnerable server, or the reuse of compromised credentials. From there, the goal is to execute code within the target system.
Once that step is achieved, the next phase begins execution in memoryThis is where PowerShell, WMI, mshta, rundll32, VBScript, JScript, or other interpreters come into play to load and activate the payload without generating permanent executables on disk. The code is typically obfuscated or encrypted and decrypted only in RAM.
Then the pursuit begins persistenceAlthough many fileless payloads disappear when the computer is restarted, sophisticated attackers combine RAM-resident scripts with Registry keys, scheduled tasks, or WMI subscriptions that relaunch the code every time a specific condition is met, such as system startup or user login.
Finally, the final goals The attacker's actions include: data theft and exfiltration, information encryption, deployment of more malware, continuous espionage, and sabotage of critical systems. All of this is done while trying to maintain the lowest possible profile to avoid early alerts and forensic analysis.
Why is it so difficult to detect?
The big problem with fileless malware is that It breaks the classic defense model based on files and signaturesIf there is no suspicious executable to analyze, many antivirus engines remain blind to what is happening within memory and legitimate processes.
The absence of files on disk implies that There are no objects to scan periodically in search of known patterns. Furthermore, by leveraging binaries signed by the operating system itself, such as PowerShell.exe, wscript.exe, or rundll32.exe, malicious activity is disguised behind names that the administrator normally trusts.
In addition, many inherited products have a Limited visibility into running processesThey focus on the file system and network traffic, but barely inspect internal API calls, command-line parameters, script behavior, or Registry events that might betray a fileless attack.
The attackers, aware of these limitations, resort to obfuscation, encryption, and code fragmentation techniquesFor example, they divide a malicious script into several fragments that are assembled in real time, or they hide instructions within images, embedded resources, or seemingly innocuous strings.
In environments where systems are rarely restarted (critical servers, production terminals, etc.), memory-resident malware can remain active for weeks or months without being detected, especially if you move cautiously and minimize the volume of traffic or conspicuous actions.
Limitations of traditional defenses
The initial response of many providers to this threat has been to try restrict or directly block tools like PowerShell or Office macrosAlthough it can reduce some vectors, it is not a realistic or complete solution in most organizations.
PowerShell has become a key component for Windows system administrationTask automation, software deployment, and server management. Blocking it completely would paralyze IT workflows and force the redoing of numerous internal processes.
Furthermore, from the attacker's point of view, there are multiple ways to circumventing a simple blocking policyThere are techniques to load the PowerShell engine from libraries (dll) using rundll32, convert scripts into executables with tools like PS2EXE, use modified copies of PowerShell.exe, or even embed PowerShell scripts in PNG images and run them with obfuscated command lines.
Something similar happens with Office macros: Many companies depend on them to automate reports, calculations, and business processes. Disabling them globally can break internal applications, while relying solely on static analysis of VBA code often results in a difficult-to-manage false positive and false negative rate.
In addition, some approaches based on cloud-based detection-as-a-service They require constant connectivity and, sometimes, operate with too much delay to prevent the initial execution of the malware. If the blocking decision is made seconds or minutes later, the damage may already be done.
Focus shifts: from files to behavior
Since the file is no longer the main element, modern defense solutions focus on monitor the behavior of the processes instead of just inspecting the contents of the files. The idea is that, although there are thousands of malware variants, the patterns of malicious activity are much less diverse.
This approach relies on engines of behavioral analysis and machine learning that continuously monitor what each process does: what commands it launches, what system resources it touches, how it communicates with the outside world, and what changes it tries to introduce into the environment.
For example, an Office process can be flagged as suspicious if executes an obfuscated PowerShell command with parameters to disable security policies and download code from a suspicious domain. Or a process that, for no apparent reason, suddenly accesses hundreds of sensitive files or modifies critical registry keys.
The latest generation of EDR systems and XDR platforms collect detailed telemetry of endpoints, servers and networkand are able to reconstruct complete stories (sometimes called StoryLines) of how an incident originated, what processes were involved, and what changes the affected machine underwent.
A good behavioral engine not only detects the threat, but can mitigate or automatically reverse malicious actions: kill involved processes, isolate the computer, restore encrypted files, undo changes to the Registry, and cut off communications to command and control domains.
Technologies and sources of key events in Windows
To analyze fileless threats in Windows, it is especially useful to take advantage of native operating system telemetry mechanisms, which are already there and offer a lot of information about what happens behind the scenes.
On one side is Event Tracing for Windows (ETW)ETW is a framework that allows for the recording of highly detailed events related to process execution, API calls, memory access, and other internal system aspects. Many EDR solutions rely on ETW to detect atypical behavior in real time.
Another key piece is Antimalware Scan Interface (AMSI)AMSI is an API designed by Microsoft to allow security engines to inspect scripts and dynamic content just before they run, even if obfuscated. AMSI is especially useful with PowerShell, VBScript, JScript, and other scripting languages.
In addition, modern engines are analyzed periodically sensitive areas such as the Registry, Task Scheduler, WMI subscriptions, or script execution policiesSuspicious changes in these areas are often a sign that a fileless attack has established persistence.
All of this is complemented by heuristics that take into account not only the current process, but also the execution context: where the parent process comes from, what network activity has been observed before and after, whether there have been strange failures, anomalous blockages or other signals that, added together, tip the scales towards suspicion.
Practical detection and prevention strategies
In practice, protecting oneself from these threats involves combining technology, processes and trainingIt's not enough to install an antivirus and forget about it; a layered strategy adapted to the real behavior of fileless malware is needed.
On a technical level, it is essential to deploy EDR or XDR solutions with behavioral analysis capabilities and process-level visibility. These tools must be able to record and correlate activity in real time, block anomalous behavior, and provide clear forensic information to the security team.
It is also convenient Restricting the use of PowerShell, WMI, and other interpreters to what is strictly necessary, applying access control lists, script signing (Code Signing) and execution policies that limit what code can run and with what privileges.
On the user side, training remains crucial: it is necessary to reinforce the awareness of phishing, suspicious links, and unexpected documentsThis is especially important among personnel with access to sensitive information or high-level privileges. Reducing the number of careless clicks significantly decreases the attack surface.
Finally, one cannot neglect the patch and software update cycleMany fileless chains begin by exploiting known vulnerabilities for which patches already exist. Keeping browsers, plugins, enterprise applications, and operating systems up to date closes valuable doors for attackers.
Managed services and threat hunting
In medium and large organizations, where the volume of events is enormous, it's difficult for the internal team to see everything. That's why they are growing in popularity. monitoring and managed response services (MDR/EMDR) and external security operations centers (SOCs).
These services combine advanced technology with teams of analysts monitoring 24/7 the environments of their clients, correlating weak signals that would otherwise go unnoticed. The idea is to detect behaviors typical of fileless malware before damage occurs.
Many SOCs rely on frameworks such as MITRE ATT & CK to catalog adversaries' tactics, techniques, and procedures (TTPs) and build specific rules geared towards in-memory execution, LoLBins abuse, malicious WMI, or stealthy data exfiltration patterns.
In addition to continuous monitoring, these services typically include forensic analysis, incident response, and consulting to improve security architecture, close recurring gaps, and strengthen controls on endpoints and servers.
For many companies, outsourcing part of this function is the most viable way to keep up with such complex threats, since not everyone can afford an internal team specializing in hunting advanced malware.
The reality is that fileless malware has forever changed the way we understand endpoint security: Files are no longer the only key indicatorAnd only a combination of deep visibility, behavioral analysis, good management practices, and an extended cybersecurity culture can keep it at bay on a day-to-day basis.
