Attackers often use malware to target business systems. But recently, ‘malware-free’ attacks – which see adversaries instead abuse existing tools to target devices – are growing in popularity.
The figures are concerning. According to CrowdStrike’s 2025 global threat report, cyber attacks leveraging trusted services to conduct malicious activities are becoming the norm.
In fact, the shift towards malware-free attack techniques was one of the defining trends shaping the threat landscape over the past five years, the security outfit found. 79% of CrowdStrike's threat detections were malware-free malicious activity in 2024, compared to 40% in 2019.
Malware-free attacks, also known as living off the land (LotL) attacks, are not a new concept. However, the risk for businesses is growing as technology such as AI and cloud offers more opportunities for adversaries to strike. So, what can businesses do to mitigate this increasing threat?
Turning tools against their owners
Malware-free attacks are attractive to adversaries because they are relatively simple to perform.
Unlike traditional attacks that rely on malicious software designed to compromise a system, malware-free attacks exploit tools and processes already present in the victim’s environment, says Axel Maisonneuve, technical education contributor at BSV Association. “Attackers do not introduce external code, but instead abuse vulnerabilities in software, misconfigurations or compromised credentials to achieve their objectives.”
Malware-free attacks are impactful because they enable adversaries to hide, allowing them to cause damage and steal data without being spotted. Criminals can leverage fileless techniques, PowerShell abuse, RDP exploits and social engineering to “infiltrate systems undetected”, says Gerald Beuchelt, CISO at Acronis. He describes malware free attacks as “stealthy, effective and difficult to attribute”.
Cloud services, remote monitoring and management tools and valid accounts are all used to perform malware-free attacks. Cloud has become “a top target” due to its widespread use and the potential for “significant impact”, says Dani Waugh, IT security manager at Markerstudy. “Attackers often gain initial access via valid accounts and then leverage cloud environment management tools for lateral movement.”
Adversaries also use weaponized ads to distribute malicious loaders and files, says Beuchelt. “By leveraging weak or stolen credentials, they gain direct access to internal systems, logging in as legitimate users without the need to deploy malware,” he says.
Tools such as PowerShell and Windows Management Instrumentation are frequently abused for lateral movement, credential dumping and reconnaissance, according to Beuchelt. “Additionally, supply chain attacks against commercial products and open source software projects allow adversaries to compromise software updates or inject malicious code into legitimate applications, so victims unknowingly install backdoors,” Beuchelt warns.
The ability to remain hidden is leading advanced cybercriminal and nation-state groups to leverage malware-free attacks. For example state backed gangs such as APT29 – AKA Midnight Blizzard – used cloud services for covert data exfiltration in the 2020 SolarWinds attack. Meanwhile, APT 38 – or Lazarus Group – leveraged stolen credentials and PowerShell scripts to infiltrate cryptocurrency firms, according to Beuchelt.
Evolving technology
Malware free attacks could get even worse as technology continues to evolve. “The use of artificial intelligence and machine learning by attackers to automate and enhance their techniques will likely make these attacks more sophisticated and harder to detect,” Waugh warns.
Indeed, the growing reliance on cloud-based infrastructure, remote work, and hybrid work provides attackers with more entry points and opportunities to exploit misconfigurations and weak access controls, agrees Aditya Sood, VP security engineering and AI strategy, Aryaka.
At the same time, living off the land techniques will become more sophisticated, with attackers developing more complex ways to misuse trusted tools, Sood predicts.
Taking this into account, it’s important for businesses to assess their risk and put measures in place to protect themselves against malware free attacks.
As part of this, organizations should ensure their networks are secure “in all aspects”, including any cloud environments, says Hannah Baumgaertner, head of research at Silobreaker.
Patch management is also integral to help prevent being caught out by malware free attacks. Ensure you regularly update software and systems, Maisonneuve advises. “Known vulnerabilities are prime targets for attackers and applying security patches significantly reduces the risk of exploitation,” he says.
Security by design
In addition, experts told ITPro that business leaders could look to implement a 'secure by design' philosophy. It’s a well-known fact that developing software and configuring systems with security as a priority “minimizes potential attack surfaces”, Maisonneuve says.
Another way to boost your defenses against malware-free attacks is multi-factor authentication (MFA), says Maisonneuve. “Passwords alone are not sufficient. MFA adds a critical layer of protection against unauthorized logins.”
Businesses can also check for credential leaks to ensure passwords haven’t got into the wrong hands. Platforms such as Have I Been Pwned allow users to verify whether their passwords have been compromised and need to be changed, says Maisonneuve.
In the end, preventing malware-free attacks is more about basic security measures and ensuring staff are aware of the threat and ready to respond. Technology can help too, but there are very few automated options for protecting against malware-free attacks, says Andy Swift, cyber security assurance technical director at Six Degrees. “Antivirus security is of no use for this as there is no malware to detect,” he points out.
If you have the budget and resources, he advises businesses to invest in endpoint detection and response (EDR) technologies that enable experts to monitor and watch behaviour to identify inconsistencies.
Leaders can also make use of the eagle-eyed staff already in their team. Many malware-free attacks are user-initiated – for example, people might unknowingly enable an attack by following required actions on fake captcha websites that force them to copy and paste instructions mistakenly into their run bar, says Swift. “This can be mitigated by educating users and by limiting what they have access to.”
Training and education is a key part of preventing adversaries getting past initial defenses, agrees Baumgaertner. “Employees should be made aware of the different phishing lures and tactics used by hackers, as these constantly change to adapt to new technologies.”
-
Layoffs loom for underskilled tech workers and poor performersNews Tech hiring managers expect to make layoffs in the coming months, with roles ripe for automation and workers with outdated skills the most likely to be cut.
-
Executives think AI can supercharge cybersecurity teams – analysts aren’t convincedNews As organizations adopt AI, frontline cybersecurity workers are worried AI will reduce job security and increase their manual workload
