Under Attack? Contact Us Start a Free Demo

What is a Fileless Malware?

What is Fileless Malware?

The phrase “fileless malware” refers to a type of malware that does not require a file to be used to execute the code; instead, it leverages the resources already present on the file system of the endpoint. It is typically injected into some running process and executes only in RAM. Since there are no files to scan and the footprint is small, traditional antivirus software has a hard time detecting or preventing these attacks. In modern adversarial warfare, adversaries are becoming more adept at designing sophisticated and targeted malware to evade defenses. Most security solutions fail to detect and prevent fileless malware.

How does Fileless Malware work?

Fileless malware is most commonly spread through spam links within an email message or fraudulent website. Once the user clicks the malicious links or downloads the infected legitimate-looking document, the malicious code will be executed in the background using Windows inbuilt processes, connecting to the C2C server to download the actual malware.

Fileless malware leverages trusted, legitimate processes (LOLBins) running on the operating system to perform malicious activities like lateral movement, privilege escalation, evasion, reconnaissance, and the delivery of payloads.

The majority of fileless malware takes advantage of Windows PowerShell to load scripts directly into memory rather than writing them to the disk (where they can be detected by most malware scanners). In addition to executable files, there are many other ways to run code on devices. The majority of these methods make use of OS-available processes.

Some examples are:

  • VBScript
  • JScript
  • Batch files
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • Mshta and rundll32 (or other Windows signed files capable of running malicious code)

In addition, another type of attack that is common and considered fileless is malware hidden within documents. A malicious PowerShell command could be launched by an infected document. Additionally, other few built-in mechanisms allow code execution within documents, such as macros and DDE attacks.

Stages of Fileless Malware Attacks

In contrary to the traditional file-based malware, fileless malware consists of the following stages:

  • Victim clicks a malicious link or downloads the malicious document in phishing or spam email.
  • The malicious embedded code/script leverages inbuilt Windows processes like PowerShell, WMI, Wscript, etc., to connect to the C2C server and download actual malware. This actual malware can be a backdoor, virus, rootkit, ransomware, etc.
  • Then the actual malware attempts to evade the defenses, establish persistence, and perform lateral movement.
  • Implement the attacker’s intent, ranging from data exfiltration, system corruption, or encrypting the computer file system, making it inaccessible to the legitimate user.

How to Detect Fileless Malware?

Cyber security threats and fileless malware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).