Fileless Malware Loader (PowerShell)

Fileless Loader — PowerShell In-Memory Execution

PowerShell script that implements in-memory loading and execution of .NET assemblies and shellcode without writing to disk:

• Reflection Loading — Loads .NET assemblies directly from byte arrays using System.Reflection, bypassing application whitelisting.
• Shellcode Runner — Allocates RWX memory via VirtualAlloc, copies shellcode, and executes via delegate invocation.
• Download Cradle — Multiple download methods (WebClient, Net.Http, BITS, certutil decode) with fallback chain.
• AMSI Evasion — Runtime AMSI patching techniques applied before payload execution.
• ETW Bypass — Patches EtwEventWrite to disable .NET event tracing that EDRs monitor.