{
	"id": "baefbe99-cd34-441d-b341-181b20615fec",
	"created_at": "2026-04-06T00:22:21.551173Z",
	"updated_at": "2026-04-10T03:21:52.28799Z",
	"deleted_at": null,
	"sha1_hash": "dc29f91b48b776e9efeb9fd8d073b911b3f2560d",
	"title": "Reflective Loading Runs Netwalker Fileless Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65131,
	"plain_text": "Reflective Loading Runs Netwalker Fileless Ransomware\r\nBy By: Karen Victor May 18, 2020 Read time: 5 min (1290 words)\r\nPublished: 2020-05-18 · Archived: 2026-04-05 15:38:43 UTC\r\nThreat actors are continuously creating more sophisticated ways for malware to evade defenses. We have observed\r\nNetwalker ransomware attacks that involve malware that is not compiled, but written in PowerShell and executed\r\ndirectly in memory and without storing the actual ransomware binary into the disk. This makes this ransomware\r\nvariant a fileless threat, enabling it to maintain persistence and evade detection by abusing tools that are already in\r\nthe system to initiate attacks.\r\nThis type of threat leverages a technique called reflective dynamic-link library (DLL) injection, also referred to as\r\nreflective DLL loading. The technique allows the injection of a DLL from memory rather than from disk. This\r\ntechnique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it\r\nalso does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a\r\nloaded module of a process, and allowing evasion from DLL load monitoring tools. Recently, we have witnessed\r\nthreat actors using this technique to deploy ColdLock ransomware. Now, we have seen the same attack using a\r\nfilelessly executed Netwalker ransomware. The payload begins with a PowerShell script detected as\r\nRansom.PS1.NETWALKER.B.\r\nAnalysis of the PowerShell Script\r\nFigure 1. Overview of the PowerShell script’s behavior\r\nThe script hides under multiple layers of encryption, obfuscation, and encoding techniques. For this sample, we\r\nwere able to reveal three layers of code. The top-most layer executes a base64-encoded command.\r\nFigure 2. Code snippet of top-most layer of code (base64 encoded command)\r\nDecoding this will expose the next layer of code, which is hexadecimal-encoded and XOR-encrypted.\r\nFigure 3. Second layer of code (hexadecimal-encoded and XOR-encrypted)\r\nDecoding and decrypting will then reveal the main script, which is still quite obfuscated, making the content more\r\ndifficult for analysts to decipher.\r\nFigure 4. Code snippet of the obfuscated main script\r\nThe file reflectively injects a ransomware DLL into the memory of the legitimate running process explorer.exe.\r\nThe ransomware is embedded in the script in hex format.\r\nFigure 5. Ransomware binaries embedded in the script in hex format\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/\r\nPage 1 of 5\n\nTaking the binaries out of the script and decoding them will result in two DLLs; one is an x86 version (for 32 bit\r\nOS) of the ransomware, while the other is the x64 version (for 64 bit OS).\r\nIt uses the following part of the script to determine the environment it is running on so that it can set the DLL\r\nversion to use:\r\nFigure 6. Script that determines what environment the ransomware is running on\r\nTo successfully perform reflective injection, it first locates the API addresses of the functions it needs from\r\nkernell32.dll:\r\nFigure 7. Ransomware collecting API Addresses from kernell32.dll\r\nThen it uses the following functions to set up accurate memory address calculations:\r\nFigure 8. Functions for setting up memory calculations\r\nFigure 9. Code snippet for computing the needed memory addresses\r\nIn this manner, the script itself acts as the DLL’s own custom loader. This eliminates the need for a traditional\r\nwindows loader, which usually makes use of the LoadLibrary function. The script itself can compute and resolve\r\nits needed memory address and relocations to load the DLL correctly.\r\nIt then specifies the process it will inject into; in this case it searches for the running Windows Explorer process.\r\nFigure 10. Code snippet for searching running Windows Explorer process\r\nAfterwards, it will write and execute the ransomware DLL into the memory space of explorer.exe through the\r\nfollowing code:\r\nFigure 11. Code snippet of writing the ransomware DLL code into memory\r\nFinally, it deletes Shadow Volume Copies and prevent the victim from using Shadow Volumes to recover their\r\nencrypted files.\r\nFigure 12. Code snippet for deleting Shadow Volume Copies\r\nThis sample appears to have been derived from PowerSploit’s Invoke-Mimikatz module, an open source program\r\nthat was originally intended to reflectively load Mimikatz completely in memory for stealthy credential dumping.\r\nAnalysis of the Fileless Ransomware\r\nThis variant of Netwalker is similar to its predecessors in terms of behavior. It renames encrypted files using 6\r\nrandom characters as extension:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/\r\nPage 2 of 5\n\nFigure 13. Encrypted files renamed using 6 random characters as extension\r\nIt drops ransom notes at various folders in the system and opens one after it has encrypted the data and documents\r\nof the victim. As with usual ransomware, it does this to extort money from the victim in exchange for the\r\ndecryption of their files.\r\nFigure 14. Netwalker ransom note\r\nIt adds the following registry entry. Adding this entry is a known behavior of Netwalker:\r\nHKEY_CURRENT_USER\\SOFTWARE\\{8 random characters}\r\n{8 random characters} = {Hex values}\r\nFigure 15. Sample registry entry added by Netwalker\r\nThe ransomware terminates some processes and services, some examples of which are related to backup software\r\nand data related applications. It is likely that it does this as an attempt to debilitate any efforts the victim may take\r\nin performing backup and recovery operations after the ransomware attack.\r\nBelow are some examples of services terminated by the ransomware (for the full list of services, please see this\r\nreport):\r\n*backup*\r\n*sql*\r\nAcronisAgent\r\nARSM\r\nserver Administrator\r\nShadowProtectSvc\r\nwbengine\r\nThe ransomware also stops security software-related processes to evade detection and termination of its malicious\r\nactivities.\r\nAdditionally, it also terminates processes relating to user data and documents, as well as software for creating\r\nbackups. Then it will proceed to encrypt files created through those applications.\r\nExample processes terminated by the ransomware (for the full list of processes, please see this report):\r\n*sql*\r\nexcel.exe\r\nntrtscan.exe\r\npowerpnt.exe\r\nwbengine*\r\nwinword.exe\r\nwrsa.exe\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/\r\nPage 3 of 5\n\nNetwalker mainly targets common user files during its encryption routine, such as Office documents, PDFs,\r\nimages, videos, audio, and text files, among others. Other than that, it apparently doesn’t want to render the\r\nsystem completely useless since it generally avoids encrypting any critical files, executables, Dynamic Link\r\nLibraries, registries, or other system-related files.\r\nConclusions and Recommendations\r\nIt appears that attackers are now adding Reflective DLL injection into their ransomware arsenal in an attempt to\r\nmake their attacks untraceable and more difficult to investigate by security analysts. Ransomware in itself poses a\r\nformidable threat for organizations. As a fileless threat, the risk is increased as it can more effectively evade\r\ndetection and maintain persistence. Blended threats such as this make use of multiple techniques, making it\r\nnecessary for organizations to use various layers of security technologies to effectively protect their endpoints,\r\nsuch as security solutions that employ behavior monitoring and behavior-based detections.\r\nThese types of attacks can affect victims tremendously, and they can be painstakingly difficult to recover from.\r\nEmploying adequate preventive measures, such as applying best practices, will greatly minimize the risk of\r\ninfection. Here are some of our recommendations to help avoid ransomware attacks:\r\nRegularly back up critical data to mitigate the effects of a ransomware attack\r\nApply the latest software patches from OS and third-party vendors.\r\nExercise good email and website safety practices\r\nFor employees, alert the IT security team of potentially suspicious emails and files.\r\nImplement application whitelisting on your endpoints to block all unknown and unwanted applications.\r\nRegularly educate employees on the dangers of social engineering.\r\nBelow are some of our recommendations to protect systems from fileless threats:\r\nSecure PowerShell use by taking advantage of its logging capability to monitor suspicious behavior.\r\nUse PowerShell commands such as ConstrainedLanguageMode to secure systems from malicious code.\r\nConfigure system components and disable unused and outdated ones to block possible entry points.\r\nNever download and execute files from unfamiliar sources\r\nWe also recommend security solutions that utilize behavior monitoring that can work against these types of\r\nthreats:\r\nTrend Micro Apex One™ - Features behavioral analysis that protects against malicious scripts, injection,\r\nransomware, and memory and browser attacks related to fileless threats.\r\nIndicator of Compromise\r\nSHA-256\r\nTrend Micro Pattern\r\nDetection\r\nf4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be Ransom.PS1.NETWALKER.B\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/\r\nPage 4 of 5\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/"
	],
	"report_names": [
		"netwalker-fileless-ransomware-injected-via-reflective-loading"
	],
	"threat_actors": [],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc29f91b48b776e9efeb9fd8d073b911b3f2560d.pdf",
		"text": "https://archive.orkl.eu/dc29f91b48b776e9efeb9fd8d073b911b3f2560d.txt",
		"img": "https://archive.orkl.eu/dc29f91b48b776e9efeb9fd8d073b911b3f2560d.jpg"
	}
}