Attackers Bypass EDR by Using In-Memory PE Loaders Delivered via Malicious Downloads

Security researchers have discovered a wave of attacks that use in-memory PE loaders to slip past endpoint detection and response (EDR) systems.

In these incidents, threat actors deliver a small downloader to victims via malicious links or attachments.

Once executed, the downloader fetches a full Portable Executable (PE) file from a remote server and maps it directly into the memory of a trusted process.

This technique allows the payload to run without ever touching disk, making it extremely difficult for traditional antivirus and EDR tools to detect or block the attack.

How In-Memory PE Loaders Work

In-memory PE loaders take advantage of legitimate operating system functions to download and execute code entirely in memory.

First, an initial stub uses WinInet or similar APIs to retrieve the malicious payload from a URL controlled by attackers.

The stub then allocates a region of virtual memory inside a running, EDR-approved process and copies over the raw bytes of the downloaded EXE.

Next, it parses the PE headers, maps each section into its proper virtual address, and fixes up imports and relocations so the code can run correctly.

After setting the proper memory protections for each section, such as marking code pages executable, the loader jumps to the payload’s entry point and hands control over to the malicious code.

This entire flow leaves no malicious executable on disk, bypassing detection based on file scans or filesystem activity.

Even advanced EDR systems that monitor process creation and memory behavior often miss or misclassify these steps, because the initial stub appears benign and the main payload runs inside a trusted process.

According to the report, recent campaigns have delivered these in-memory loaders through weaponized email attachments, fake software updates, and compromised websites.

Victims are tricked into launching a seemingly harmless downloader that is only a few kilobytes in size.

That small file then pulls a much larger PE payload often custom tools, remote access trojans, or credential stealers from a cloud storage link or GitHub repository.

Because the payload is never written to disk, forensic investigators can struggle to find evidence of the attack after the fact.

In one documented case, attackers used a loader to fetch a remote administration tool disguised as a popular utility.

The tool was injected into a legitimate process, allowing the threat actors to move laterally within the network and steal sensitive data.

Organizations relying solely on signature-based defenses found their endpoints compromised before they could respond.

Defenders can improve detection of in-memory PE loaders by combining multiple telemetry sources. Monitoring for unusual API calls such as VirtualAlloc, WriteProcessMemory, and VirtualProtect can reveal code injection attempts.

Anomaly detection that tracks unexpected network connections from user processes may also flag suspicious download activity.

Enlisting memory integrity checks and endpoint behavior analytics can help spot these covert loaders in real time.

To harden defenses, organizations should enforce strict application allowlists, deploy memory-scanning tools capable of inspecting live processes, and segment sensitive environments to limit lateral movement.

Regular threat hunting exercises that simulate in-memory attacks will increase visibility and prepare teams to respond swiftly.

Keeping EDR solutions updated with the latest detection rules for file-less techniques is also essential.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.