• Fileless Malware

Fileless malware, or: The Ghost In The Machine

Author: Stefan FeistTechnical WriterConnect on LinkedIn

Imagine a burglar breaking into your house without leaving any footprints or fingerprints. That’s exactly how fileless malware operates: invisible to traditional security systems, but extremely dangerous. In our blog article, you can find out what fileless malware is and how you can defend yourself against attacks.

25.11.2025|Last edited:25.11.2025

What is fileless malware?

Traditional malware embeds itself as a file on your hard drive. Fileless malware, on the other hand, does not require classic executable files. It uses system tools and remains mainly in the RAM of the affected system. The insidious thing about it is that all traces of an attack often disappear completely – as if nothing had ever happened.

This approach is often referred to as “living off the land” and is characterized by attackers misusing tools that are available on every Windows system, such as PowerShell. Since these tools are part of normal system operation, traditional antivirus programs are ineffective against these attacks.

Fileless malware allows systems to be compromised, data to be spied on or encrypted without anyone noticing, but without the presence of a malware file. Executing without files has decisive advantages, as it is difficult for researchers to trace and leaves few traces.

Modularity makes it particularly dangerous

Unfortunately, one of the advantages and special features of NoSpamProxy is also what makes fileless malware so special: modularity. Individual components – from bypassing security mechanisms and obfuscation techniques to data extraction – are developed on a module basis. This allows the malware to be developed in the form of individual components that can be quickly combined and adapted.

Attackers can therefore further develop their tools without changing the overall system. The areas of application range from simple loaders for further malware to remote access Trojans (RATs), which enable full access to target systems, to ransomware.

    How does an attack with fileless malware work?

    Cyberattacks are part of everyday life for companies around the world, and email is also the main gateway for fileless malware. The reason is clear: emails are ubiquitous and are opened billions of times every day. Infection occurs primarily through phishing emails with malicious links or through macros in Office documents that trigger the execution of the actual malware. Another source of infection is software vulnerabilities, which also cause the malware to be executed.

    A typical attack scenario starts innocently: you receive an email that looks like an invoice, a job application, or a document from a business partner. Attached is a Word or Excel document. When you open it, a message appears: “Macros must be enabled to view the content.”

    If you now click on “Enable content,” a malicious macro starts PowerShell commands in the background that load malware directly into the RAM, undetectable by your antivirus software. The Emotet campaigns of recent years have perfected this method.

    In addition to macros, links to fake websites are also used, which execute JavaScript code that exploits browser vulnerabilities and transfers malicious code directly to the memory.

    HTML attachments or .hta files (HTML Applications) are particularly insidious. These are executed directly by the browser or Windows and can launch PowerShell commands without further warning messages.

    How can you protect yourself against fileless malware?

    As mentioned above, an attack with fileless malware begins like any other phishing attack: with an infected email. NoSpamProxy has multiple layers of protection that are specifically designed to intercept fileless malware at the email gateway before it reaches end devices.

    • Checking sender reputation

      NoSpamProxy uses SPF, DKIM, and DMARC for sender reputation to verify that emails actually originate from the specified sender. This prevents email spoofing and phishing attacks, which often serve as a gateway for attacks with fileless malware. NoSpamProxy 25Reports is helpful for maintaining and monitoring the DMARC policy.

    • Content Disarm and Reconstruction (CDR)

      The CDR function enables attachments in Word, Excel, or PDF format to be converted automatically into harmless PDF files based on rules. Many other formats, such as executable files, can be recognized, so that the attachment is blocked or the entire email is rejected. This protects against fileless malware because:

      • Macros in Office documents are not executed.
      • The recipient receives a cleaned document without dangerous content.
      • If desired, the original document remains in quarantine and can only be accessed after admin approval.

    • 32Guards Sandbox

      The 32Guards sandbox service analyzes files and command-and-control traffic, i.e., the data exchange between an infected computer and its “master” on the network. Before a file is uploaded to the sandbox by NoSpamProxy, NoSpamProxy creates a hash value and asks the sandbox whether it already knows this value. If the hash is known, it also asks whether it has been classified as good or bad.

    • URL Safeguard

      The URL Safeguard rewrites links in emails. Optionally, links in text-based attachments can also be rewritten. URL Safeguard in NoSpamProxy evaluates the links.

      In NoSpamProxy, URL Safeguard works together with 32Guards and prevents access to links that have been identified as malicious after delivery. This allows links in emails to be rechecked every time they are clicked. This clarifies the following questions:

      • Are there any current threats on this domain?
      • Is the site known for phishing, malware, or fraudulent behavior?
      • Does the site contain suspicious redirects, forms, or exploits?
      • Has the target page changed since the original email was sent?

      If the link is classified as safe, access to the original URL is allowed; if the link is classified as dangerous, access is blocked.

    • CxO Fraud Detection

      CxO Fraud Detection in NoSpamProxy detects targeted attacks where attackers impersonate executives. This social engineering tactic is widely used in fileless malware campaigns.

    Not yet using NoSpamProxy?

    With NoSpamProxy Protection and 25Reports, you can reliably protect your company from dangerous whaling emails and benefit from many other security features. Request your free trial now!

    Get your free NoSpamProxy trial now! Get your free 25Reports trial now!

    NoSpamProxy protects email communication at Medical School HamburgNoSpamProxy schützt E-Mail-Kommunikation bei der Medical School Hamburg 800x800NoSpamProxy-und-Dropsuite-schließen-strategische-Partnerschaft-PreviewNoSpamProxy & Dropsuite Introduce Bundle on ALSO Cloud Marketplace