Traditionally, malware attacks as we have always known them are files written to disk in one form or another that require execution in order to carry out their malicious scope. Fileless malware, on the other hand, is intended to be memory resident only, ideally leaving no trace after its execution. The malicious payload exists dynamically and purely in RAM, which means nothing is ever written directly to the HD.

The purpose of all this for the attacker is to make post-infection forensics difficult. In addition, this form of attack makes it nearly impossible for antivirus signatures to trigger a detection. In some specific cases, as with SamSam, the only way to even retrieve a sample to analyze would be to catch the attack happening live. This is one of the biggest challenges when dealing with fileless malware.