Malicious Actors Planting Fileless Malware on target machines using Event Logs

Microsoft® Windows OS
Advisory ID:
May 20, 2022


Unknown bad actors have developed a novel method of deploying fileless malware by injecting shellcode directly into Windows event logs. This novel method of payload storage has never been attempted before, emphasizing the importance of remaining vigilant in the face of threats. Fileless malware is a type of malicious activity that executes a cyber attack by utilizing native, legitimate tools built into a system.

Description & Consequence

The attack is initiated by using phishing techniques to lure the unsuspecting victim into downloading a compressed file containing two penetration testing tools: namely Cobalt Strike and SilentBreak. These tools are used to insert malware into a system’s memory -- making it “fileless”, as this ensures there are no traces of it on the system’s local drive; making it difficult for traditional signature-based anti-malware tools to detect.

The encrypted shellcode that contains the payload is then injected into the event logs, while the launcher is put on the disk for side-loading. The launcher isn’t harmful without the shellcode, which -- as already mentioned -- is hidden in the event logs. This will now enable a Trojan to be delivered and an attack to be executed.

A compromised computer can be infected with a RAT (Remote Access Trojan) which will grant the cybercriminal unfettered and unauthorized remote access to a victim’s device. This can include covert surveillance and granting of administrative privileges.


  • Keep your software up to date.
  • Monitor and lock down Microsoft's PowerShell scripting language as well as enable security features.
  • Minimize administrative privileges.
  • Install a comprehensive endpoint security solution that has anti-APT (Advanced Persistent Threat) and EDR (Endpoint Detection and Response).
  • Adhere strictly to your organization’s cybersecurity policy (if any).



Related Articles