StealthExec: The Most Dangerous Fileless Malware Leveraging Windows Kernel Callbacks to Evade EDRs and Exfiltrate NTLM Hashes

Executive Summary

In early 2026, a novel class of fileless malware—dubbed StealthExec—has emerged as a critical threat to enterprise environments, particularly those relying on Windows endpoints with Endpoint Detection and Response (EDR) solutions. Unlike traditional malware that drops executable files, StealthExec operates entirely in memory using Windows Kernel Callbacks, enabling it to evade both signature-based and behavioral detection mechanisms. This malware leverages undocumented kernel APIs and signed driver abuse to achieve persistence and silently exfiltrate NTLM hashes via forged HTTP requests. Our analysis reveals that StealthExec represents a paradigm shift in adversarial tradecraft, combining advanced evasion with operational stealth to compromise high-value targets. Organizations must urgently reassess their kernel-level defenses, monitor kernel callback registrations, and adopt hardware-enforced isolation (e.g., Intel TDX, AMD SEV-SNP) and memory integrity monitoring to mitigate this threat.

Key Findings

• Fileless Execution: StealthExec operates entirely in-memory by abusing Windows Kernel Callbacks, avoiding disk artifacts and conventional malware analysis tools.
• EDR Evasion: Leverages legitimate kernel components and signed drivers (e.g., via Bring Your Own Vulnerable Driver—BYOVD) to bypass EDR hooks and kernel callbacks monitoring.
• NTLM Hash Theft: Exfiltrates credentials silently via crafted HTTP(S) requests to attacker-controlled servers, masquerading as legitimate traffic.
• Persistence: Achieves persistence through registry modifications and kernel driver installation, resisting reboot termination.
• Undocumented APIs: Exploits undocumented Windows kernel functions (e.g., KeUserModeCallback, ObRegisterCallbacks) to manipulate process and thread states from user mode.
• Lateral Movement Potential: Stolen NTLM hashes can be relayed or cracked to enable domain compromise and privilege escalation.

Technical Analysis

1. Initial Infection Vector and Memory-Only Execution

StealthExec is typically delivered via a phishing email containing a malicious Office document or ISO archive. Upon user interaction, a macro or embedded script triggers the execution of a PowerShell or Mshta payload. Crucially, this payload does not write executable files to disk. Instead, it spawns a child process (e.g., svchost.exe) and injects shellcode directly into its memory space using process hollowing or reflective DLL injection.

The shellcode then registers a custom kernel callback using KeRegisterUserModeCallback—an undocumented Windows kernel routine—to intercept system events such as process creation, thread creation, and registry modification. By operating at this level, StealthExec gains visibility into system state transitions without being hooked by EDRs, which typically monitor at the user-mode API layer (e.g., NtCreateProcess).

2. Kernel Callback Abuse for Stealth Operations

StealthExec registers multiple callbacks to achieve persistence and stealth:

• PsCreateProcessNotifyRoutine: Monitors new process creation to inject into legitimate system processes (e.g., lsass.exe) without spawning new executables.
• ObRegisterCallbacks: Filters object access to hide its presence from tools like Process Explorer or Task Manager.
• CmRegisterCallbackEx: Hooks registry operations to maintain persistence by modifying HKLM\SYSTEM\CurrentControlSet\Services to load a malicious kernel driver on boot.

These callbacks are registered with minimal overhead and are not exposed via standard tools like fltmc or sc query, making detection via conventional means nearly impossible without kernel-mode instrumentation.

3. Signed Driver Abuse and BYOVD

To escalate privileges and maintain control, StealthExec exploits a Bring Your Own Vulnerable Driver (BYOVD) technique. It loads a legitimate but vulnerable kernel driver (e.g., a graphics or storage driver with known memory corruption flaws) to gain kernel-level access. Once elevated, it disables PatchGuard and Virtualization-Based Security (VBS) by patching kernel structures, enabling unfettered access to the NTLM authentication stack.

Notably, StealthExec avoids modern security features like HVCI (Hypervisor-Protected Code Integrity) by targeting older, signed drivers still present in enterprise environments due to legacy software dependencies.

4. Silent NTLM Hash Exfiltration via HTTP(S) Forgery

The primary goal of StealthExec is to extract NTLM hashes from the Local Security Authority Subsystem Service (lsass.exe). It does so by:

1. Injecting a shim into lsass.exe via the registered PsCreateProcessNotifyRoutine, hijacking the authentication flow.
2. Forcing a network authentication attempt (e.g., via net use \\attacker-server or SMB session setup) using stolen credentials.
3. Intercepting the NTLM challenge-response via a custom SSP/AP (Security Support Provider/Authentication Package) registered via SpLsaModeInitialize.
4. Transmitting the captured hashes to a command-and-control (C2) server via HTTPS POST requests that mimic legitimate API calls (e.g., to a cloud storage provider).

The exfiltration traffic is encrypted and fragmented to avoid deep packet inspection, and domains are dynamically generated using DGA (Domain Generation Algorithms) to evade blacklisting.

5. Defense Evasion Through Kernel-Level Obfuscation

StealthExec employs several advanced evasion techniques:

• Direct Kernel Object Manipulation (DKOM): Modifies kernel structures (e.g., EPROCESS, ETHREAD) to hide processes and threads from the scheduler and tools.
• Memory Cloaking: Uses page-level encryption and self-modifying code to prevent memory forensics from capturing its shellcode.
• Anti-Analysis: Detects sandbox environments by checking for kernel debugger presence, virtualization artifacts, and CPU usage patterns.

Impact Assessment

StealthExec poses an existential risk to organizations with mature EDR deployments. Its ability to:

• Bypass kernel-mode hooks and EDR agents.
• Operate without disk artifacts.
• Steal credentials used for lateral movement and privilege escalation.

...makes it a prime tool for Advanced Persistent Threats (APTs), ransomware operators, and cybercriminal syndicates targeting intellectual property, financial data, and critical infrastructure. The exfiltration of NTLM hashes enables Golden Ticket attacks if the domain controller is later compromised, leading to full domain takeover.

Recommendations

Immediate Actions

• Deploy Memory Integrity (HVCI) and enable Hypervisor-Protected Code Integrity (HVCI) on all endpoints to prevent kernel patching.
• Enable Windows Defender System Guard with Secure Boot and DMA Protection to block unsigned driver loads.
• Monitor kernel callback registrations via ETW events (Microsoft-Windows-Kernel-Callback/CallbackObjects) and alert on unexpected callbacks.
• Block unsigned kernel drivers using Windows Defender Application Control (WDAC) policies.
• Disable NTLM where possible; enforce Kerberos and enforce SMB signing to prevent relay attacks.

Architectural Improvements

• Adopt hardware-enforced memory isolation (Intel TDX, AMD SEV-SNP) for critical workloads to prevent kernel-level tampering.
• Implement behavioral AI-based monitoring at the hypervisor layer to detect anomalous kernel behavior without relying on EDR hooks.