Fileless malware lives in your RAM, never touches your hard drive, and can steal your credentials before your antivirus knows it's there.
In this episode of The Backup Wrap-up, I sit down with Dr. Mike Saylor — my co-author on Learning Ransomware Response & Recovery — to break down one of the sneakiest attack types in the cybersecurity world: fileless malware. We also get into why a lot of MFA implementations give you a false sense of security, why passkeys are the answer, and when it's time to level up to an EDR or XDR tool.
Fair warning — this one's a bit of a 401k episode. Make sure you've got the basics handled first. But this is absolutely something you need to know about.
00:01:26 - Welcome & intro
00:04:43 - What is fileless malware?
00:09:16 - How fileless malware achieves persistence (ArcGIS case study)
00:15:02 - Can fileless malware spread beyond one machine?
00:16:43 - Defending yourself: MFA done right
00:20:38 - Why passkeys beat MFA
00:23:00 - EDR and XDR explained
00:28:03 - How modern EDR tools detect fileless malware
00:30:01 - Wrap-up and action items
Here's what we get into: fileless malware doesn't install anything. It loads directly into memory — RAM — and uses what's already on your system to do its dirty work. Traditional antivirus looks for stuff written to disk. Fileless malware doesn't write to disk. So your antivirus is essentially blind to it. And because memory gets wiped on reboot, you might think a restart cleans things up. Nope. Bad guys figured that out too. They modify the registry or rewrite parts of the operating system so that when the machine comes back up, they're right back in memory. The ArcGIS attack Mike references is a perfect example — attackers were embedded for two years before anyone noticed.
We also talk about where fileless malware goes after it gets in. Memory is where your credentials live — session tokens, admin logins, RDP sessions. Fileless malware is often laser-focused on harvesting those credentials and handing them off to initial access brokers or using them to move laterally across your network. It's the silent, stealthy phase-one foothold. And it can escalate fast.
On the defensive side, Mike gets into MFA — and he's got some strong opinions. MFA is good. But MFA done wrong is almost as bad as no MFA. If you're saving credentials in your browser, trusting machines so you skip the prompt, or letting session tokens sit in your cache, fileless malware can grab all of that and hijack your sessions without triggering a single alert. The answer is phishing-resistant MFA — and ideally, passkeys.
And when you're ready to take things to the next level, it's time for EDR. Endpoint Detection and Response tools — especially the newer ones with AI built in — don't just look for files. They watch memory, analyze behavior, sandbox new processes, and can isolate a machine or suspend a user account the moment something looks wrong. Pair that with XDR and you've got visibility across east-west and north-south traffic — everything inside your network and everything coming in and out.
This is advanced stuff. But it's the kind of advanced stuff you need on your radar.
🎙️ Listen to the episode: https://www.backupwrapup.com/fileless-malware-attack-lives-in-memory-leaves-no-trace
📖 Get the book — Learning Ransomware Response & Recovery:
O'Reilly: https://www.oreilly.com/library/view/learning-ransomware-response/9781098169572/
Amazon: https://www.amazon.com/Learning-Ransomware-Response-Recovery-Stopping/dp/1098169581
🛡️ Check out what Mike and I are building: https://www.stopransomware.com
