Cyber Security Cybercrime Microsoft 365 Defender

What is Fileless Malware: Understanding the Invisible Threat

Cyber criminals use fileless malware to bypass antiviruses and attack businesses undetected. In this article we demystify the invisible threat, together turning the unseen into the understood.

Despite significant advancements in security software and machine learning capabilities, fileless malware still strikes fear into the hearts of business owners and IT professionals alike. This stealthy attack type often enters endpoint systems no differently to standard malware and viruses.

However, leaving your antivirus software to deal with this sophisticated attack could lead to devastating consequences. With WatchGuard revealing that fileless malware rates in 2020 increased by 888% over 2019, it is as important as ever to prepare your organisation for this threat.

In this article we demystify this invisible threat, exploring its inner workings and real-world implications, discovering preventative measures and effective responses, to give you the knowledge needed to arm yourself, and your business, against fileless malware.

Before delving deeper, let’s start by addressing what fileless malware actually is.

Fileless Malware: The Invisible Threat

What is Fileless Malware and how does it work?

Fileless malware often enters systems and devices no differently to standard viruses, commonly through phishing and social engineering. What differentiates these attacks from the rest, is how they operate once inside.

Traditional viruses leave files on your system, making them easily identifiable by antivirus software. Fileless malware, on the other hand, operates directly within a system’s memory or registry, without leaving files on the disk.

Unlike conventional viruses, that predominantly rely on executable files, fileless malware leverages already-present software like PowerShell or WMI for its attacks. This stealthy strategy allows fileless malware to evade detection from traditional signature-based antivirus software.

Put simply, fileless malware avoids detection from antivirus software which scan for malicious files, because fileless malware offers no malicious files to scan. The elusive nature of fileless malware attacks make them very difficult to detect and mitigate, as they blend in with normal system activity, earning them the title, ‘The Invisible Threat’.

Fileless Malware vs. Living-Off-The-Land

Fileless malware is described as a “living off the land” (LOTL) attack because it uses built-in system tools within the device or network it corrupts, like Powershell or WMI, to perform harmful actions. By using trusted resources and credentials it can avoid detection and exploit vulnerabilities better. This technique makes it difficult to detect and mitigate as it operates within the existing infrastructure of the targeted system.

Stolen Credentials

Although any virus with appropriate access can potentially move laterally within a network, the stealthy nature of fileless malware makes it capable of facilitating lateral movement without detection. This means cybercriminals can steal user credentials and carry out further malicious activities while under the guise of a legitimate user.

Fileless Ransomware

One use of fileless malware is to install ransomware on compromised systems. In this technique, attackers leverage the access granted by fileless attacks to encrypt victims’ files, effectively preventing normal operations. Access to these files is then held hostage until the victims meet financial demands.

“Fileless malware rates in 2020 increased by 888% over 2019.”

WatchGuard – Internet Security Report

Fileless Malware Techniques

Registry Resident Malware

Registry Resident Malware refers to malicious software that installs itself directly into the Windows Registry. By modifying registry entries, it ensures its persistence in the system and can execute every time the system starts up.

Most malware infects Windows systems through the use of a dropper program, that uploads a malicious file into a device. This file then remains active within the system and is quickly detected. Registry Resident Malware may also use a dropper program but doesn’t upload a file. Instead, it writes code directly into the system’s Windows registry. As a result, this fileless malware can remain undetected within a systems registry for extended periods of time and carry out malicious activity by modifying registry entries.

Exploit Kits

Exploit Kits are software tools designed to exploit vulnerabilities in systems or code. These kits automatically deliver malware, such as ransomware or spyware, to the devices of unsuspecting users who visit compromised websites.

Top 5 Fileless Malware Attack Types

Exploit kits serve as a common vehicle for fileless malware distribution and control. Exploits are malicious code or sequences of commands that take advantage of security weaknesses in outdated software.

Exploit kits bundle these exploits together into a powerful tool for managing and deploying fileless attacks. Some advanced exploit kits even offer management consoles, allowing attackers to control infected systems and adapt their attacks in real-time.

Memory-only Malware

Memory-only malware refers to malicious software that primarily operates from a device’s memory, with minimal traces on the hard drive. Unlike most viruses, it can avoid detection by antivirus programs, requiring modern security software with heuristics and behavioural detection mechanisms to identify.

This allows it to conduct lateral movement and data exfiltration undetected. It is the variation of fileless malware which the term most commonly refers to and which the majority of fileless malware attacks fall under.

“Memory-only Malware has huge potential for use in dangerous attacks and will become more common.”

Symantec – Internet Security Threat Report

Stages of a Fileless Malware Attack

Stage 1: Gain Access

The initial stage of a Fileless Malware attack involves gaining access to the victim’s system. This can occur through various means, such as phishing, social engineering, exploiting vulnerabilities in software or operating systems, or drive-by downloads from compromised websites.

Stage 2: Execution

Now the attacker has access to a system, they exploit existing vulnerabilities within the system to gain control over it and initiate harmful actions. They may socially engineer users into enabling functions that provide them further access, such as enabling macros, which then run malicious commands. The attacker utilises exploits in an effort to obtain credentials and move laterally within the compromised system.

Stage 3: Persistence

In order to achieve the objectives of a fileless malware attack, it is essential for the attacker, that they not-only gain access, but maintain it for extended periods. Through modifying the system’s registry, the attacker will create a backdoor for easy re-entry into the system, without repeating the initial steps. By establishing persistence mechanisms, such as registry entries or scheduled tasks, malicious code can be reloaded into memory after system restarts, allowing the malware to stay persistent and hidden for extended periods.

Stage 4: Exfiltration

By the final stage the structure is in place to achieve the objectives of the fileless malware attack. The attacker may attempt to steal credentials for further attacks, encrypt files for a ransom, or download additional malware to cripple the organisation’s network.

Commonly an attacker will utilise built-in compression tools to effectively gather sensitive information and prepare it for exfiltration. They will then use covert and secure methods to export this victim’s compressed data, such as HTTPS or DNS tunnelling.

The 4 stages of a fileless malware attack

How to Protect Against Fileless Malware

Indicators of Compromise Vs. Indicators of Attack

To effectively protect your organisation against fileless malware it is essential to incorporate multiple techniques to develop a holistic and integrated cyber security approach.

Indicators of compromise (IOCs) are traces of past security breaches, like unusual network activity. Indicators of Attack (IOAs), on the other hand, are signs of ongoing cyber threats, such as lateral movement. Understanding the difference between the two is crucial for effective cyber security.

Indicators of Compromise vs Indicators of Attack

To combat fileless malware proactively, it’s essential to rely on IOAs, the “what’s happening”, rather than IOCs, the “whats happened”. IOAs focus on action intent and context, including signs like code execution, lateral movement, and unexpected system changes. This approach ensures that you can detect fileless malware as it executes its malicious activity, even if it originally entered the device undetected.

Unlike IOCs, IOAs do not identify attacks based on how a threat initiates an attack, rendering the method of attack, (via files or fileless) irrelevant for detection. Instead, what matters is the actions that are actually taking place, you identify the associated activity rather than the specific file. This enables the detection and prevention of fileless malware activity, even when executed through once-trusted, but now compromised, accounts and software.

Managed Threat Hunting

Adopting an integrated and unified approach toward the detection and prevention of fileless malware requires robust endpoint detection and response (EDR) solutions and the expertise to manage them. Managed threat hunting leverages the skills of seasoned professionals and the efficiency of AI powered system to handle this time consuming and technically intricate task.

While the level of monitoring may vary depending on the provider, and the organisation’s specific needs, partnering with a managed service provider offers enhanced security, often including constant real-time surveillance.

This approach allows for proactive threat hunting, which is challenging to consistently carry-out without the work of dedicated security specialists. At Vital, our team of skilled IT professionals flag and address suspicious activity on detection, preventing further escalation. Leveraging Microsoft’s extended detection and response (XDR) security solutions, we stay one step ahead of fileless malware and other evolving threats.


In mitigating the threat of fileless malware attacks, user awareness and education play a vital role. Similar to standard viruses, fileless malware often infiltrates systems through phishing and social engineering. Equipping your employees with the knowledge to spot and avoid potential risks can significantly minimise the risk of fileless malware attacks.

It is important to educate employees of the dangers associated with clicking on malicious links, opening suspicious emails, and downloading unverified software. Developing this familiarity can empower your workforce to stay vigilant and fosters a security-conscious organisational culture.

To achieve this, consider employing an integrated training vendor, such as KnowBe4. Such vendors offer training campaigns and simulate phishing attacks for practical training. An investment into the education and security awareness of your workforce will significantly reduce the likelihood of falling victim to fileless malware attacks.

“You cannot rely on the individual employee’s decisions to either click or not click on a potential malicious link. Today, you need to have an employee security and education behaviour management program.”



Can reinstalling Windows from scratch remove fileless malware?

Reinstalling windows may remove some types of malware, although typically not fileless malware, which doesn’t reside in locations impacted by a reinstall. If fileless malware has re-delivery or persistence mechanisms in place, it will likely reappear post-installation. Unfortunately, there is no quick fix for fileless malware. If you suspect that your system may be affected by this dangerous attack type, don’t hesitate to contact us.

What should individuals do to protect their personal devices from fileless malware?

To protect personal devices from fileless malware, individuals should keep their operating systems and security software up to date, use a reliable antivirus program, stay informed on typical phishing and social engineering techniques, and regularly backup their data.

How can businesses protect themselves from fileless malware?

To protect against fileless malware, businesses can:

  • Prioritise indicators of attack rather than compromise to detect malware.
  • Train employees on fileless malware entry techniques.
  • Partner with an IT managed service provider specialising in cyber security.

Can antivirus software detect fileless malware?

Yes, antivirus software can detect fileless malware, but will struggle to do so consistently. Traditional antivirus programs struggle as they rely on signature-based identification, while fileless malware uses legitimate system tools and memory to carry out their attacks. Some antivirus software have evolved to include behaviour-based detection methods, however, detection of fileless malware still remains challenging due to its nature of using legitimate system tools and memory

EDR and XDR solutions elevate the capabilities of traditional AV, utilising behavioural analysis and heuristics to detect and prevent fileless malware with higher efficiency.