Askeal Logo

Fileless Malware

Fileless malware is a type of malicious software that operates entirely in memory, leaving little to no trace on disk.

What is fileless malware?How it typically works?Common techniques & variantsImpactFurther reading

What is fileless malware?

Unlike traditional malware, fileless malware does not rely on files stored on disk. Instead, it exploits legitimate system tools such as PowerShell, WMI, or registry entries to run malicious code directly in memory. This makes detection much harder, as traditional antivirus software scans primarily for malicious files. Notable cases include **Kovter**, which used registry-based persistence, and campaigns abusing PowerShell to execute attacks without leaving artifacts.

How it typically works?

  1. Initial execution: malicious code is executed via phishing attachments, malicious scripts, or exploitation.
  2. In-memory operation: the malware injects itself into legitimate processes or uses tools like PowerShell.
  3. Persistence: attackers leverage registry keys or scheduled tasks instead of files.
  4. Malicious activity: actions include credential theft, lateral movement, or downloading additional payloads.

Common techniques & variants

  • Living off the Land (LotL) attacks: abuse legitimate tools like PowerShell, WMIC, or rundll32.
  • Memory injection: code is injected into running processes.
  • Registry persistence: storing payloads in Windows registry, as seen with Kovter.
  • Script-based fileless malware: malicious macros or JavaScript launch fileless payloads.
  • Fileless ransomware campaigns: attacks combining memory-only techniques with encryption.

Impact

Fileless malware is dangerous because it avoids many detection methods and often operates under the guise of legitimate system processes. It has been used in both cybercrime and state-sponsored campaigns. For SecOps teams, these threats present major challenges since traditional defenses may show no clear indicators. Fileless techniques are often a precursor to more disruptive attacks, including ransomware and espionage.

Further reading

  • MITRE ATT&CK: Fileless Malware. Read more
  • Symantec: Fileless attacks overview. Read more
  • CISA: Fileless malware threats. Read more
  • Trend Micro: Kovter and fileless malware. Read more

Related topics

MalwareTrojansWormsRansomwareSpyware