Security researchers have demonstrated a novel fileless technique enabling attackers to evade endpoint detection and response (EDR) solutions by downloading and executing a portable executable (PE) directly in memory.
This method, known as an in-memory PE loader, allows adversaries to inject and run malicious binaries without ever writing them to disk, effectively slipping past traditional EDR defenses.
In-Memory Execution Evades Disk-Based Defenses
Traditional EDR solutions monitor filesystem activity, scanning executables for malicious behavior when they are written to or loaded from the disk.
By contrast, an in-memory PE loader retrieves a 64-bit PE file, such as an executable or DLL from a remote repository (for example, a GitHub URL) and maps its sections, headers, and dependencies directly into the memory space of a benign “approved” process.
The loader leverages WinINet APIs like InternetOpenUrlA and InternetReadFile to stream the payload into a byte buffer, then allocates virtual memory with VirtualAlloc, copies headers and sections, applies relocations, resolves imports via LoadLibraryA and GetProcAddress, and sets appropriate memory protections via VirtualProtect.
Once configured, the loader invokes the target PE’s entry point, executing the payload entirely in memory.
Because no file touches the disk, the EDR registers no suspicious activity and permits the process to run as if it were legitimate.
Real-World Bypass Demonstrates Practicality
In initial demonstrations, the loader was used to execute PuTTY, a widely available SSH client chosen for its graphical interface and ubiquity.
Researchers observed that both Microsoft Defender XDR and Sophos XDR failed to detect the in-memory execution, confirming the loader’s effectiveness against leading EDR platforms.
In response to community feedback, the experiment was expanded to include EDRSilencer—a well-known, flag-triggered bypass tool to showcase how even recognized offensive security utilities can slip past protections when deployed via an in-memory loader.
Screenshots from testing environments reveal the malicious binary running without any alerts or quarantine actions, highlighting a critical blind spot in memory-only attack detection.
Implications for Blue Teams and Red Teamers
For red team operators and penetration testers, custom in-memory PE loaders represent a powerful technique to bypass endpoint defenses and maintain stealth.
Security teams must adapt by deploying enhanced memory scanning and behavior-based analytics capable of monitoring process injection, remote PE resolution, and anomalous memory allocations.
Solutions that integrate kernel-level instrumentation or leverage hardware-backed attestation can help detect suspicious in-memory executions.
Additionally, tightening application whitelisting policies and auditing outbound HTTP requests from critical processes can reduce the attack surface for remote payload retrieval.
As adversaries increasingly adopt fileless methods, organizations must evolve beyond disk-centric security models.
The in-memory PE loader underscores the necessity of comprehensive visibility into both filesystem and memory operations.
Only by closing these detection gaps can defenders stay ahead of advanced threat actors who continually refine techniques to outsmart conventional EDR solutions
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=This method, known as an in-memory PE loader, allows adversaries to inject and run malicious binaries without ever writing them to disk, effectively slipping past traditional EDR defenses.){kind=link}