Fileless Malware Definition

KZero Staff
Jul 27, 2023

What is Fileless Malware?

Often, people think of malware as malicious executable files that are downloaded and run on a computer. However, some types of malware don’t involve a standalone executable.

These fileless malware variants are never stored on disk and use legitimate system software and processes to achieve their goals. By using these legitimate processes and “living off the land,” these malware make themselves much more difficult to detect.

Why Do Cybercriminals Use Fileless Malware?

Traditional antivirus and antimalware programs are file-centric. For example, an antivirus typically works by scanning each file stored in a computer’s filesystem for signs of malicious functionality.

Fileless malware was developed to evade these types of defenses. Fileless malware only exists in random access memory (RAM), where running programs are stored. By never storing a file on disk, these malware variants can be invisible to antivirus that focus on scanning the filesystem for malware

Characteristics of Fileeless Malware

Fileless malware is defined by a few attributes, including the following:

  • Memory Residence: Fileless malware exists only in system RAM with no files stored on disk. Memory-resident malware will disappear when the system is rebooted, making it more difficult to detect.
  • Living Off the Land: Fileless malware uses legitimate system tools to achieve its goals. For example, PowerShell, Windows Management Instrumentation (WMI), and JavaScript have desirable functionality for an attacker but are difficult to differentiate from legitimate activities.
  • Registry Exploitation: The Windows Registry is the configuration file for the Windows operating system. Fileless malware will make edits to the registry that executes the malware after a system reboot, enabling it to persist without storing data on disk.
  • Evasion and Obfuscation: Avoiding storing files on disk makes malware more difficult to detect. Additionally, fileless malware may use encryption, obfuscation, and similar techniques to hide from more advanced security tools that use heuristic or behavioral analysis.

Fileless Malware Infection Vectors

Fileless malware needs a means of loading the malicious code into RAM on a target system. Some common infection vectors include:

  • Phishing: Fileless malware often spreads via phishing emails containing infected attachments. For example, a Word document may have malicious macros that load the malware into memory.
  • Drive-By Downloads: An infected or malicious website may have malicious scripts embedded in it. These scripts could exploit vulnerabilities to run code in the computer’s RAM.
  • Malvertising: Malicious advertisements can contain malicious scripts as well. Clicking or viewing the malicious ad infects the computer.

Protecting Against Fileless Malware

Fieleless malware is designed to evade traditional antimalware defenses. Some ways to defend against this malware include:

  • Behavioral Detection: While fileless malware evades file-based detection, it still exhibits malicious behavior. Security solutions focused on identifying malicious behavior can identify these malware variants.
  • Patch Management: Often, fileless malware will exploit vulnerabilities to gain execution on a computer. Promptly applying patches and updates can help to close these security holes before they can be exploited.
  • User Training: Fileless malware commonly infects computers via phishing and social engineering. Training users to identify and avoid malicious emails and websites reduces the risk to the organization.


Fileless malware is a type of malware that avoids storing data on disk. Instead, they live in memory and use built-in system functions to achieve their malicious goals.

KZero Staff

Explore more insightful content from the knowledgeable KZero staff on our blog and guides section.

Glossary Terms

Stay up to date with the most recent #infosec topics

Trending Topics

Interested In
Next-Gen MFA?

Discover Multi-Pass enterprise passwordless authentication

Share the page: