T1055 tops the list across 1.1 million malware samples analyzed, and 80% of the top 10 techniques focus on defense evasion.Fileless malware is among the fastest-growing and most evasive threat categories facing security teams today. Unlike traditional malware that drops executable files to disk, fileless attacks abuse trusted operating system tools — PowerShell, WMI, .NET — to execute malicious code directly in memory. The result is an attack that leaves minimal forensic artifacts, bypasses signature-based antivirus, and blends seamlessly with legitimate system activity. According to the Ponemon Institute's 2017 State of Endpoint Security Risk study, fileless attacks were approximately 10 times more likely to succeed than file-based attacks — a finding that, while dated, remains the most cited benchmark because no updated study has replaced it. More recent data shows the problem is accelerating. Fileless malware attacks have increased 78% from 2024 to 2026, and fileless and in-memory techniques have risen approximately 30% year-over-year. This guide provides a comprehensive, evidence-based look at how fileless malware works, the real-world campaigns shaping the current threat landscape, and the layered detection strategies that actually work against memory-resident threats.
Fileless malware is a category of malicious activity that uses native, legitimate tools built into an operating system — such as PowerShell, WMI, and .NET — to execute cyberattacks without writing traditional executable files to disk, operating primarily in memory through trusted system processes and evading signature-based detection.
That definition, while clear, oversimplifies a nuanced reality. The term "fileless" exists on a spectrum. Microsoft's authoritative fileless threat taxonomy classifies fileless threats into three types:
You may also encounter synonymous terms in the wild. Memory-only malware, non-malware attacks, zero footprint attacks, and living off the land (LOTL) techniques all describe overlapping concepts within this threat category. The key distinction is that fileless malware is a broader category, and LOTL is a specific technique subset within it.
Fileless malware is not a virus in the traditional sense. Traditional viruses replicate by attaching to files. Fileless malware operates through legitimate system processes, making it a fundamentally different threat category that demands different detection approaches.
Table: Key differences between fileless and traditional malware
Fileless malware follows a multi-stage attack flow. Understanding each stage — and the tools attackers abuse — is essential for building effective detection.
Typical fileless attack chain:
PowerShell remains the primary fileless execution vehicle on Windows. Attackers use Base64-encoded commands piped directly into PowerShell to download and execute payloads without ever writing a file. The T1059.001 technique is one of the most commonly observed across real-world campaigns.
A typical pattern involves curl.exe or Invoke-WebRequest retrieving a script from a remote server and piping it directly into powershell.exe -EncodedCommand for in-memory execution. The Antimalware Scan Interface (AMSI) was designed to inspect these commands at runtime, but attackers continue to develop bypass techniques — making AMSI an important but imperfect defense layer.
WMI abuse adds another dimension. Attackers create WMI event subscriptions — permanent triggers that execute code when specific system conditions are met. APT29's POSHSPY backdoor stored encrypted PowerShell commands within the WMI repository itself, with a WMI filter triggering periodic execution. As Mandiant's analysis documented, this gave APT29 persistent, fileless access running as SYSTEM with no artifacts outside the WMI repository.
Process injection (T1055) is the single most prevalent MITRE ATT&CK technique. The Picus Red Report 2026, analyzing 1.1 million malware samples, ranked it number one — and found that 80% of the top 10 techniques focus on defense evasion, persistence, and command-and-control.
Attackers inject malicious code into the memory space of trusted running processes — RuntimeBroker.exe, svchost.exe, OneDrive.exe — so the malicious activity executes under the context of a legitimate, signed binary. The February 2026 DEAD#VAX campaign demonstrated this with four-layer obfuscation and process injection into trusted Windows processes, using IPFS-hosted VHD files to bypass Mark-of-the-Web protections entirely.
Registry-based persistence stores encoded payloads in registry keys, ensuring survival across reboots while keeping the payload out of the file system. DLL sideloading — where attackers place a malicious DLL alongside a legitimate, digitally signed application — has become a favored technique. Storm-0249 abused a SentinelOne signed binary for exactly this purpose, turning a security tool's own process into an attack vector.
Fileless malware is no longer a Windows-only problem. Linux environments — which host the majority of enterprise cloud workloads — face their own set of fileless techniques:
The PostgreSQL fileless cryptomining campaign in April 2025 compromised over 1,500 servers using the memfd technique, demonstrating fileless attacks operating at commodity-cybercrime scale on Linux infrastructure. The attackers used per-target binary hash diversification to defeat reputation-based detection — a level of sophistication previously associated only with advanced persistent threats.
Understanding the classification of fileless malware helps security teams build appropriate detection for each variant. The table below combines Microsoft's Type I/II/III taxonomy with technique-based categories and emerging cloud variants.
Table: Classification of fileless malware by execution type and persistence mechanism
The expansion of fileless techniques into cloud environments represents a major content gap across the cybersecurity industry — and a rapidly growing threat. Cloud workloads are particularly vulnerable because containers are ephemeral by design, meaning traditional file-based scanning has limited value even for conventional malware.
Specific cloud fileless attack vectors include:
VoidLink, an AI-assisted cloud-native fileless framework discovered in January 2026, exemplifies this evolution. Built by a single developer with large language model assistance — reportedly producing roughly 88,000 lines of code — VoidLink targets cloud environments with fileless execution chains designed specifically to evade cloud workload protection platforms.
Real-world campaigns from 2025 and 2026 demonstrate how fileless techniques are deployed across every major attack surface. These examples — significantly more recent than the dated Poweliks (2014) and Kovter references found in most competing guides — reflect the current state of fileless threats.
Table: Recent fileless malware campaigns from 2025 to 2026
The integration of fileless techniques into ransomware operations is accelerating. According to Recorded Future, publicly reported ransomware attacks rose to 7,200 in 2025 compared to 4,900 in 2024 — a 47% increase. Fileless malware variants in ransomware toolkits have increased 40% (Gitnux, 2026), and 93% of organizations have experienced at least one ransomware-ready intrusion in the past 24 months.
Storm-0249's December 2025 campaign illustrates the pattern. The attack chain uses ClickFix social engineering to trick users into running a PowerShell command. That command downloads and executes a fileless payload via curl.exe piped into PowerShell — no file ever touches disk. The payload then uses DLL sideloading through a legitimately signed security binary to establish persistence and deploy ransomware. Every stage before the final encryption payload leverages fileless techniques, making early detection dependent on behavioral analysis rather than file scanning.
Detecting fileless malware requires a fundamental shift from file-based to behavior-based security. Traditional antivirus — which relies on scanning files for known signatures — cannot detect code that never exists as a file. This is why 79% of targeted attacks in 2023 used living-off-the-land binaries (KnowBe4, 2025) and why 54% of attacker activity is logged but only 14% generates alerts (Picus Blue Report, 2025). The detection gap is real, but it is addressable with the right approach.
Behavioral threat detection monitors process behaviors, command parameters, and system changes rather than file signatures. The following indicators are specific to fileless malware activity.
Table: Behavioral indicators of fileless malware with detection mappings
Here is the critical insight that no other guide covers adequately. Fileless malware evades endpoint detection — that is its entire purpose. But fileless malware still generates network traffic. Every command-and-control communication, every lateral movement attempt, every data exfiltration event produces observable network behaviors.
Network detection and response (NDR) provides a complementary detection layer that catches what endpoint tools miss:
Combining EDR and NDR creates visibility across both the endpoint execution layer and the network communication layer — closing the gap that fileless malware exploits.
While no single control defeats fileless malware, the following measures significantly raise the cost for attackers:
For incident response, remember that fileless malware demands volatile evidence collection. Memory forensics must be prioritized because disk forensics alone will miss the primary artifacts. Fileless-specific IR playbooks should include memory capture as a first-response action.
Mapping fileless techniques to the MITRE ATT&CK framework enables structured detection engineering. Rather than hunting for individual attacks, security teams can build detection coverage against the specific techniques fileless malware relies on — creating durable defenses that work against future campaigns, not just known ones. This approach aligns with the cyber kill chain methodology of disrupting attacks at every stage.
Table: MITRE ATT&CK techniques commonly used in fileless malware attacks
Fileless malware defenses map directly to compliance requirements across major frameworks.
Table: Compliance framework crosswalk for fileless malware detection controls
The detection landscape is evolving in response to fileless threats. Three converging trends are reshaping how organizations defend against memory-resident attacks.
First, XDR integration brings endpoint, network, and identity signals into a unified detection pipeline. Fileless attacks that evade any single detection layer still generate observable behaviors across multiple layers. Correlating an anomalous PowerShell execution on an endpoint with unusual outbound C2 traffic on the network produces a high-confidence signal that neither layer achieves alone.
Second, AI-driven behavioral analytics are maturing beyond simple rule-based detection. Organizations deploying AI-based defenses save an average of $1.9 million per breach compared to those without (security research aggregation, 2025). These systems learn baseline behaviors and flag deviations — exactly the approach needed against fileless threats that blend with legitimate operations.
Third, the threat itself is evolving. SecurityWeek's Cyber Insights 2026 analysis highlights AI-powered polymorphic fileless attacks as an emerging trend, with PromptFlux and PromptSteal representing the first confirmed LLM-querying malware families. VoidLink's use of LLM assistance in framework development — producing roughly 88,000 lines of code — signals that AI is lowering the barrier to creating sophisticated fileless tooling.
Vectra AI's approach to fileless malware detection centers on the assume-compromise philosophy and Attack Signal Intelligence. Rather than relying on signatures or file-based indicators, the platform analyzes behavioral patterns across network and cloud environments to identify the command-and-control communications, lateral movement, and data exfiltration that fileless attacks inevitably generate — even when endpoint detection tools are evaded. This network-level behavioral analysis, backed by 35 AI patents and 12 references in MITRE D3FEND, provides a critical detection layer that complements EDR coverage and closes the visibility gap fileless malware exploits.
The fileless malware landscape is entering a new phase driven by AI capabilities on both sides of the offense-defense equation. Over the next 12 to 24 months, security teams should prepare for several developments.
AI-powered fileless attacks will become more sophisticated and accessible. The discovery of PromptFlux and PromptSteal — the first confirmed malware families that actively query large language models during operation — signals a shift toward malware that adapts in real time. VoidLink demonstrated that a single developer with LLM assistance can produce enterprise-grade fileless frameworks. As these tools proliferate, the volume of fileless attacks will increase even as the skill level required to launch them decreases.
Cloud-native fileless techniques will accelerate. As organizations migrate more workloads to containerized and serverless environments, attackers will follow. Container runtime exploitation via memfd, cloud API abuse, and Kubernetes-focused attacks represent the next frontier of fileless malware. Organizations should evaluate their cloud workload protection strategies for visibility into memory-resident threats — not just file-based vulnerabilities.
Regulatory frameworks will tighten requirements for advanced threat detection. The EU's NIS2 directive and evolving PCI DSS v4 requirements are already expanding what constitutes adequate malware protection. Fileless-specific detection capabilities — behavioral analysis, memory scanning, network anomaly detection — will increasingly become compliance requirements rather than optional enhancements.
Memory-harvesting malware will emerge as a distinct threat category. As data increasingly resides in memory during processing (including sensitive AI model data), attackers will target memory contents directly — shifting from using memory as an execution environment to treating it as a data extraction target.
Organizations that invest now in layered behavioral detection — across endpoints, networks, and cloud environments — will be positioned to address these emerging threats without a full architectural overhaul.
Fileless malware represents one of the most significant detection challenges facing modern security operations. By abusing trusted operating system tools and executing entirely in memory, these attacks bypass the file-based detection that the security industry relied on for decades. The campaigns documented here — from EggStreme to ShadowHS to Storm-0249 — demonstrate that fileless techniques now span Windows, Linux, and cloud environments, and are used by both nation-state actors and commodity cybercriminals.
The defense is clear but requires deliberate investment. Organizations need layered behavioral detection that combines endpoint visibility with network-level analysis. Signature-based tools alone create a false sense of security. Behavioral analytics, NDR, proactive threat hunting, and structured MITRE ATT&CK coverage provide the comprehensive detection that fileless malware demands.
Security teams ready to close the fileless detection gap can explore how Vectra AI's Attack Signal Intelligence provides behavioral detection across hybrid and multi-cloud environments — finding the attacks that other tools miss.
Fileless malware is a category of malicious activity that uses native, legitimate tools built into an operating system — such as PowerShell, WMI, and .NET — to execute cyberattacks without writing traditional executable files to disk. Instead of relying on malware binaries that antivirus can scan and detect, attackers leverage trusted system processes to run malicious code directly in memory. This approach makes fileless malware significantly harder to detect than traditional malware because there are no file hashes to match, no static files to analyze, and the malicious activity blends seamlessly with legitimate system operations. Microsoft classifies fileless threats on a three-tier spectrum (Type I through Type III), recognizing that the term "fileless" encompasses varying degrees of file system interaction. The practical impact for security teams is that signature-based detection tools provide essentially zero coverage against fileless threats, requiring a shift to behavioral analysis and network monitoring.
Fileless malware typically enters through a phishing email, exploit, or social engineering technique such as ClickFix. Once initial access is gained, the attacker leverages trusted system tools to execute commands in memory. PowerShell is the most common execution vehicle — attackers use encoded commands to download and run payloads without writing files. Persistence is established through mechanisms like WMI event subscriptions or registry entries that trigger on system events. From there, attackers use process injection to hide within trusted processes and move laterally using legitimate administrative protocols like SMB, WMI, or WinRM. Throughout this chain, the malicious activity runs under the identity of legitimate system processes, making it extremely difficult for file-based security tools to distinguish from normal operations.
Fileless malware is not a virus in the traditional sense. Traditional computer viruses are file-based programs that replicate by attaching themselves to other files or boot sectors. Fileless malware does not write executable files to disk and does not self-replicate in the same way. Instead, it operates through legitimate system processes and tools already present on the target system. The term "malware" is used broadly to encompass all malicious software regardless of whether it uses files, so fileless malware is best understood as a distinct category of threat that shares the malicious intent of traditional malware but uses fundamentally different execution and evasion methods.
Traditional antivirus and many endpoint protection solutions rely on scanning files on disk for known signatures or suspicious characteristics. Fileless malware defeats this approach entirely because it never creates traditional files. The malicious code executes in memory through trusted system tools like PowerShell and WMI, and the resulting process activity blends with legitimate system operations. There are no file hashes to match against threat intelligence databases, no static files to sandbox or detonate, and no disk artifacts for forensic investigation in many cases. According to ControlD's 2026 malware statistics, 54% of companies experience difficulty detecting fileless attacks that exploit built-in OS tools. The Picus Blue Report 2025 found that while 54% of attacker activity is logged, only 14% generates actual alerts — highlighting a massive gap between data collection and actionable detection.
Traditional signature-based antivirus cannot detect fileless malware because there are no malicious files to scan. Modern endpoint security solutions with behavioral detection capabilities, AMSI integration, and memory scanning can detect some fileless techniques — particularly PowerShell-based attacks where AMSI inspects script content at runtime. However, advanced fileless attacks that use process injection, WMI persistence, or Linux memfd execution often evade endpoint-only detection. The most effective approach combines endpoint detection and response (EDR) with network detection and response (NDR) and behavioral analytics, creating layered visibility that catches fileless threats through their observable behaviors — C2 communications, lateral movement patterns, and anomalous process activities — rather than through file signatures.
Prevention requires multiple defensive layers working together. Start with endpoint hardening: enable PowerShell Script Block Logging and Constrained Language Mode, deploy EDR with behavioral detection capabilities, and implement application allowlisting through WDAC or AppLocker. Restrict access to administrative tools through least-privilege principles — limit who can execute PowerShell, WMI commands, and other administrative utilities. Monitor WMI event subscriptions continuously, as legitimate WMI persistence is rare and new subscriptions warrant immediate investigation. Deploy NDR for network-level detection of C2 communications and lateral movement that fileless attacks generate. Segment networks to limit blast radius. Conduct proactive threat hunting focused on fileless indicators. Finally, ensure incident response playbooks include memory forensics as a first-response action, since disk forensics alone will miss primary fileless artifacts.
Traditional malware writes executable files to disk that security tools can scan, hash, and detect through signatures. Fileless malware operates primarily in memory using legitimate system tools, leaving minimal or no disk artifacts. This creates fundamentally different detection requirements. Traditional malware can be caught by antivirus scanning files at rest or during download. Fileless malware requires behavioral analysis — monitoring how processes behave, what commands they execute, and what network connections they make. Forensically, traditional malware leaves file paths, PE headers, and file hashes as evidence. Fileless malware requires memory forensics and event log analysis. Microsoft's Type I/II/III classification acknowledges that the boundary is not binary — many attacks fall on a spectrum between fully fileless and fully file-based, using legitimate file system artifacts like registry keys or WMI repositories for persistence while keeping the active payload in memory.