Skip to main content

What is fileless malware?

9th October 2025

A type of malware that can cause havoc on your systems without leaving a trace: are you prepared to defend against it?

Malware is constantly changing and evolving – bad actors make alterations to target groups or users, and AI has only made this easier. Stealthier attacks are the most dangerous, as if malware can avoid detection, all the security it the world can’t fight what it can’t find.

This is why fileless malware is so dangerous: it operates without leaving files on disk, instead running in memory (RAM), making it harder to detect and remove. In doing this, fileless malware can avoid detection by antivirus/EDR/XDR tools that scan files.

It uses legitimate tools to execute code directly in RAM, exploiting them to avoid triggering security alerts. The lack of evidence it leaves behind makes follow-up after an attack difficult: security teams wouldn’t learn much and the attack has every chance of happening again.

Fileless malware can be found in:

·         Phishing emails hidden in links or attachments that trigger scripts.

·         Malicious macros – embedded in Office documents to launch PowerShell commands.

·         Exploit kits – uses browser or plugin vulnerabilities to inject code into memory.

·         Remote access tools – abuses legitimate admin tools to maintain control.

Example of fileless malware include:

·         PowerGhost – uses PowerShell to mine cryptocurrency and spread laterally.

·         Kovter – initially file based, this malware evolved into a fileless click fraud ransomware tool.

·         Cobalt Strike – a legitimate penetration testing tool often repurposed by attackers.

So, if this malware is so hard to detect, what can be done to defend against it? We recommend that you monitor entire system behaviour, not just files: you are more likely to notice issues this way. Limit PowerShell and macros use (or require signed scripts), patch regularly and ensure you and other staff all have the latest cyber security awareness training.

For more information regarding malware and cyber attacks, please contact Interfuture Security.

YouTube: https://youtu.be/J76KAkr6pQc

Back to top