Fileless malware is malicious code that runs in a device's RAM by hijacking legitimate, trusted system utilities instead of installing files on the hard drive, which makes it much harder for traditional anti-malware to spot.
Fileless malware is a type of malware (CED 4.1.B) that does its damage without ever writing a file to your hard drive. Instead of dropping a program on disk, it loads straight into the device's memory (RAM) and runs there. To do that, it abuses tools that are already built into the operating system and trusted by it, like scripting engines and admin utilities. This is sometimes called "living off the land," because the attacker uses the system's own legit software as the weapon.
The payoff for an adversary is stealth. Most basic anti-malware scans the hard drive looking for known malicious files. Fileless malware has no file to find. And because RAM gets wiped when a device powers off, the evidence can disappear on reboot. It still does the same nasty things other malware does, so it fits right into EK 4.1.C.1: an adversary can use it to spy on user actions, run their own commands, or take control of the device, all while staying off the radar.
This term lives in Unit 4: Securing Devices, specifically Topic 4.1 Device Vulnerabilities and Attacks. It supports AP Cybersecurity 4.1.B (identify the type of malware used in a cyberattack), because the whole point is recognizing fileless malware by its behavior, not by a file signature. It also ties to 4.1.C (how adversaries exploit device vulnerabilities) since fileless attacks lean on exploits in software and legitimate utilities, and to 4.1.D (assessing risk) because something this hard to detect can quietly compromise sensitive data or critical operations. The big-picture theme: not all attacks leave obvious traces, so detection has to look at what software is doing in memory, not just what's sitting on the disk.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryMalware (Unit 4)
Fileless malware is one flavor on the malware menu in EK 4.1.B. The difference isn't the goal, it's the method. Viruses and trojans drop files; fileless malware skips the file and lives in RAM instead.
Anti-malware (Unit 4)
Anti-malware that only scans the hard drive for known bad files will miss fileless malware completely. That's exactly why fileless attacks exist, and why modern defenses have to watch memory and program behavior, not just disk contents.
RAT (Remote Access Trojan) (Unit 4)
A RAT lets an adversary remotely control a device, and a fileless technique can deliver or hide that control. Same end goal from EK 4.1.C.1 (issuing their own commands), but fileless makes the intrusion much quieter.
Logic Bomb (Unit 4)
Both are sneaky malware types you identify by behavior. A logic bomb hides until a trigger condition is met; fileless malware hides by never touching the disk. Knowing the distinguishing trait of each is what 4.1.B is really testing.
Expect this as a multiple-choice identification question. A stem will describe the symptoms and ask you to name the term, for example: malicious code running in a computer's RAM that exploits legitimate system utilities and leaves no files on the hard drive. The correct answer is fileless malware. Your job under 4.1.B is to match the behavior (memory-resident, uses trusted built-in tools, no file on disk) to the right malware label and not get tricked into picking "virus" or "trojan." No released FRQ has used this term verbatim, but the concept supports the kind of vulnerability-and-risk reasoning that 4.1.C and 4.1.D questions reward.
A virus is a file you have to execute or open for it to activate, so it lives on disk and leaves a trace. Fileless malware never writes that file at all, it runs in memory by hijacking tools the system already trusts. The give-away words on the exam are "in RAM," "no files on the hard drive," and "legitimate system utilities," which all point to fileless, not virus.
Fileless malware runs in a device's memory (RAM) and never writes a file to the hard drive.
It works by abusing legitimate, trusted system utilities, a tactic often called "living off the land."
It's hard to detect because traditional anti-malware scans the disk for known bad files, and there's no file to find.
It still does standard malware damage like spying, running attacker commands, or taking control of a device (EK 4.1.C.1).
On the AP exam, the clue words "in RAM," "no files on disk," and "legitimate system utilities" all signal fileless malware.
It's malicious code that runs in a device's RAM by exploiting legitimate built-in system utilities instead of installing a file on the hard drive. It maps to Topic 4.1 and learning objective 4.1.B, where you identify malware types by their behavior.
No. A virus has to be activated by a user opening or executing a file, so it lives on disk. Fileless malware skips the file entirely and runs in memory, which is why it's so much harder to detect.
A trojan or RAT is delivered as software and typically leaves files behind, while fileless malware hides by staying in RAM and abusing trusted system tools. They can chase the same goal, like remote control, but fileless does it more stealthily.
Most basic anti-malware scans the hard drive for known malicious files, and fileless malware has no file on disk. It also lives in RAM, which gets wiped on reboot, so evidence can vanish.
Usually as a multiple-choice identification question. A stem describes code running in RAM that exploits legitimate utilities and leaves no files on the drive, and you pick "fileless malware" as the answer.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.