What Is Fileless Malware? A New Cyber Threat Rises

All the malware you know and fear relies on files to store data used in the execution of malicious deeds. Indeed, no program could function on your device without files, right?

Wrong. Experts have identified a brand-new variety of malware that allows viruses to spread without planting files on victims’ computers. If you want to avoid this emerging threat, read on to learn all you can about fileless malware — and what it means for security of the future.

How Does Fileless Malware Work?

Traditionally, malware worked like this: A cybercriminal would corrupt a website, a link or an email attachment and trick unassuming users into interacting with it. When the user clicks, a program would launch, installing files onto the user’s device, which would execute certain actions giving the criminal exactly what they want, e.g. control over the device, access to valuable data, etc. Users and their antivirus programs identify malicious files and delete them, preventing the malware from wreaking extensive havoc.

However, as you might already suspect, fileless malware doesn’t work like that. Instead, fileless malware attacks take advantage of default Windows tools. By doing this, attackers can avoid the costly and time-consuming effort of building malware; they can strike swiftly and effectively at a large number of machines, and existing security tools can do little to stop them.

PowerShell and Windows Management Instrumentation (WMI) are criminals’ tools of choice. Both are installed on every Windows machine, and both are capable of carrying out commands that hackers use to profit.

PowerShell is a scripting language used and trusted by Windows OS, and commands executed by PowerShell are typically ignored by existing cybersecurity tools. Plus, PowerShell can run remotely, which means cybercriminals do not need physical access to exploit this tool. Because PowerShell has unrestricted access to a PC’s inner core and APIs, attackers can almost guarantee themselves complete admin control over a device.

Meanwhile, WMI is a tool used by administrators to perform a variety of actions, including gathering metrics, installing software and updates or querying the OS. Thus, WMI has access to every resource on a computer, making it a useful tool to cybercriminals. Because WMI runs like a backbone across a network, attackers can quickly and silently gain access to the network through WMI. Worst of all, WMI cannot be uninstalled, and it can’t be disabled without crippling an administrator’s ability to access the network.

What Are Examples of Non-malware Attacks?

Infosec researchers have determined that nearly a third of all attacks on businesses in 2017 were fileless, which means similar attacks on consumers likely aren’t far behind. Already, there are two massive fileless malwares circling the web:

Operation Cobalt Kitty

Because Cobalt Kitty targeted an Asia-based corporation — as opposed to an American one — it failed to make many headlines in the U.S. Still, this fileless attack was among the first of its kind, and it demonstrated just how successful a fileless method could be. Hackers’ goals were corporate espionage, and they build a sophisticated PowerShell infrastructure to sustain the attack for more than a year without detection.


Unlike Cobalt Kitty, which was an entire strategy for launching an attack and collecting data, CactusTorch is a tool used to facilitate fileless attacks. Still, malware utilizing the tool is increasing in popularity; more than 35 variants of CactusTorch have been discovered in recent months, signifying a likely increase in the number of fileless attacks using the tech.

How Can You Possibly Protect Yourself?

It is important to remember that fileless malware is new, which means it is rare compared to the swarms of malicious programs already established online. Thus, the first thing you should do to keep your machine and network safe is acquire traditional, trustworthy antivirus and internet security solutions. Though these are not yet well-equipped to recognize and thwart fileless attacks, they will protect your device and data from the more plentiful file-full malware crowding the web.

Next, you should research how your computer’s manufacturer is working to counteract these attacks. Aside from sorting through each and every PowerShell log — which, considering how essential Microsoft made PowerShell to the function of its devices, would take nearly all your time and effort — there is little you or any individual security professional can do to identify and end a fileless attack. Instead, it will largely be Microsoft’s responsibility to develop solutions to this emerging problem. By keeping abreast of their efforts and perhaps even contacting them to express your concerns, you are likely to receive necessary protections sooner.