A sophisticated attack campaign was detected using a never-before-seen technique to stealthily plant fileless malware on targeted machines. Researchers uncovered the campaign in February and believe that the unidentified adversaries have been active for the past month.

About the new tactic

Researchers reveal that the newly adopted technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a shield to launch trojans in the last stage of the infection chain.

Other details about the attack

  • The first stage of the attack chain starts with enticing victims to download a compressed RAR file from fake websites that appear legitimate.
  • Once the bobby trapped file is downloaded, it executes penetration testing tools called Cobalt Strike and SilentBreak. These tools are further used to deliver shellcode on targeted machines.
  • Cobalt Strike and SilentBreak utilize separate anti-detection AES decryptors, compiled with Visual Studio.
  • According to researchers, the attackers also leverage digital certificates and a variety of other anti-detection wrappers to bypass security checks.
  • The attackers employed two types of trojans for the last stage. One kind of trojan was delivered over HTTP with RC4 encryption, the other type was executed with named pipes.

Another observed fileless malware attack 

  • Fileless malware attack has never gone away and remains a significant threat in the cyber landscape.
  • Recently, IBM Security X-Force had also shared details about a new fileless malware variant dubbed DarkWatchman.
  • The malware was delivered via phishing emails that appeared to be an official letter from the Russian Government’s Federal Bailiffs Service.
  • The financially-motivated Hive0117 cybercriminal group had used the fileless malware to target users in the Telecommunications, Electronics, and Industrial sectors across Lithuania, Estonia, and Russia.


Given the evolving nature of criminal activities to stealthily plant malicious code on compromised systems, it is highly likely that fileless malware is here to stay for a long time. Therefore, organizations must bolster their endpoint defense systems to detect and thwart any malicious activities in the early stage.

Cyware Publisher