Fileless Malware: PowerShell 7.5+ Exploits in Windows 12 via Persistent Registry Infections

Executive Summary: As of March 2026, a new class of fileless malware has emerged, specifically targeting Windows 12 systems by leveraging PowerShell 7.5+ to establish persistent, registry-based infections. Unlike traditional malware that relies on executable binaries, this threat operates entirely in memory and registry keys, evading detection by conventional endpoint protection solutions. Threat actors are weaponizing novel PowerShell cmdlets and .NET 9 integration to achieve stealth persistence, lateral movement, and data exfiltration. This report analyzes the attack vector, propagation mechanisms, and mitigation strategies for organizations operating in high-risk environments.

Key Findings

Zero-Footprint Execution: Malicious PowerShell 7.5+ scripts are executed directly from registry Run keys without writing any files to disk.
Registry-Based Persistence: Attackers abuse HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\...\RunOnce keys to automatically re-infect systems after reboot.
Cross-Process Injection: Shellcode is injected into legitimate processes (e.g., svchost.exe, explorer.exe) via PowerShell 7.5's AMSI bypass and .NET 9 reflection capabilities.
Lateral Movement via WMI: Compromised hosts propagate the infection using WMI event subscriptions and PowerShell remoting over WinRM 3.2.
Evasion of Modern EDR: Signature-based and behavioral AI models in 2026 endpoint solutions are bypassed due to legitimate PowerShell usage patterns and encrypted payload delivery via DNS-over-HTTPS (DoH).

Attack Vector: The PowerShell 7.5+ Registry Exploit Chain

The attack begins with an initial compromise—typically through phishing, compromised RMM tools, or exploitation of CVE-2025-41234 (a zero-day in Windows Script Host). Once a foothold is established, the attacker executes a PowerShell 7.5+ script that:

Uses Set-ItemProperty to write a Base64-encoded payload into HKCU:\Software\Microsoft\Windows\CurrentVersion\Run as a REG_SZ value.
Leverages Start-Process -WindowStyle Hidden with the -WorkingDirectory flag set to a non-existent path to avoid file system artifacts.
Deploys a memory-only .NET 9 assembly that decrypts and executes a Cobalt Strike-like beacon via System.Reflection.Assembly.Load.

In Windows 12, PowerShell 7.5+ includes enhanced registry interaction APIs and supports PSReadLine history logging suppression, making it ideal for covert operations. The use of PSDefaultParameterValues allows attackers to obfuscate malicious commands within legitimate scripts.

Persistence Mechanisms: Beyond the Traditional Run Keys

While Run and RunOnce keys remain primary vectors, attackers are also exploiting:

WMI Event Consumers: A subscription is created via Set-WmiInstance -Class __EventFilter and __EventConsumer to trigger PowerShell upon system boot or user logon.
Scheduled Tasks (via Registry): Malicious tasks are stored in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks and executed without visible XML files.
AppInit_DLLs (via Registry): A legacy but effective vector where malicious DLL paths are injected into HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows.

These registry-only persistence methods are undetectable by file integrity monitoring (FIM) tools that only watch for file changes.

Evasion Techniques and Detection Gaps in 2026

The malware leverages several advanced evasion tactics:

AMSI Bypass 2.0: Uses [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) to disable AMSI in PowerShell 7.5.
Memory-Only Execution: Payloads are decrypted in memory using VirtualAlloc and CreateThread via P/Invoke calls from within PowerShell.
DoH-Bound Payload Delivery: Encrypted C2 instructions are retrieved over DNS-over-HTTPS (via System.Net.Http.HttpClient) to avoid network-based detection.
Living-off-the-Land Binaries (LOLBins): Uses certutil.exe, msiexec.exe, and regsvr32.exe with URIs to fetch second-stage scripts.

Most EDR solutions in 2026 still rely on behavioral AI trained on PowerShell 5.1 logs. They fail to detect PowerShell 7.5+ scripts due to lack of telemetry integration and encrypted command-line arguments.

Impact and Threat Landscape

This malware poses severe risks to:

Government agencies and critical infrastructure due to its stealth and persistence.
Financial sectors, where lateral movement leads to fraud and data breaches.
Healthcare organizations, where HIPAA compliance is jeopardized by undetected exfiltration.

Threat actors include state-sponsored groups (e.g., APT47 targeting European energy grids) and cybercriminal syndicates using ransomware-as-a-service (RaaS) payloads delivered via this vector.

Recommendations for Mitigation and Defense

Organizations must adopt a multi-layered defense strategy:

PowerShell Hardening:
- Disable PowerShell 7.5+ via Group Policy unless required for administration.
- Enforce Constrained Language Mode and enable Module Logging with strict keyword filtering (e.g., Start-Process, Invoke-Expression).
- Use Application Control (WDAC) to block unsigned PowerShell scripts.
Registry Monitoring and Integrity:
- Deploy registry integrity monitoring (RIM) tools that alert on unauthorized modifications to Run, RunOnce, WMI\Event, and Schedule\TaskCache keys.
- Use Sysmon Event ID 12, 13, and 14 to log registry value changes.
Network and Memory Defense:
- Inspect DNS-over-HTTPS (DoH) traffic for anomalous queries.
- Deploy memory forensics agents (e.g., Microsoft Defender for Endpoint with memory scanning) to detect in-memory .NET assemblies.
- Block unsigned binaries from executing via regsvr32, msiexec, and certutil via AppLocker or WDAC.
Threat Hunting:
- Hunt for PowerShell 7.5+ processes with hidden windows (WindowStyle Hidden).
- Search for WMI event subscriptions using Get-WmiObject -Namespace root\subscription.
- Monitor for anomalies in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall where malware may hide under fake GUIDs.