Cyber Crucible logocybercrucible
Back to Intelligence Hub
In-Memory Attacks12 min read

A Trojan Horse in the RAM

Application whitelisting was supposed to be the answer. Instead, modern Living-off-the-Land tradecraft has turned your list of trusted processes into an attacker's target list. Here's why memory is the new battleground — and why detection has to move to the kernel.

CC
Cyber Crucible Research
Threat Intelligence · June 2026

For two decades, the security industry sold application whitelisting as a silver bullet: if only trusted, signed executables can run, malware simply never executes. The logic is clean. The problem is that attackers stopped bringing their own executables.

Modern intrusions increasingly live entirely inside the memory of processes you already trust — powershell.exe, svchost.exe, the browser, the EDR agent itself. There is no new file to scan, no signature to match, and no binary on disk to quarantine. The whitelist hasn't been bypassed. It's been recruited.

Living Off the Land

Living-off-the-Land (LotL) techniques use the operating system's own signed, trusted tooling to carry out an attack. Because every component is legitimate, telemetry-based detection sees nothing unusual: a trusted process made a trusted system call. The malicious intent lives only in the sequence and the data — in memory, at runtime.

“Signature checks the file. Behavior checks the feed. Both are forgeable above the kernel. The raw CPU instructions are not.”

Why the EDR Sees Nothing

Feed-based EDR products reconstruct behavior from operating-system telemetry: process creation events, API hooks, ETW providers. Every one of those feeds sits above the OS boundary — the exact layer attackers poison. When svchost.exe reads lsass memory and dumps credentials, the telemetry can be made to report “signature valid, behavior normal.”

// what Cyber Crucible reads at the kernel
mov rax, gs:[60h]
open lsass.exe · read process memory
syscall → dump credentials
→ SUSPENDED in <200ms · evasion impossible

Moving Detection to the Kernel

Cyber Crucible's Genetic AI runs beneath the operating system, reading raw memory and CPU instructions directly. There is no feed to forge and no file to sign. It evaluates the actual machine-level intent of a running process — and when that intent is identity theft or encryption, it suspends the process in memory in under 200 milliseconds, before a single credential leaves or a single file is locked.

The whitelist was never the problem. Trusting the layer attackers control was. Move the question from “is this file allowed?” to “what is this code actually doing right now?” — and the Trojan horse in the RAM has nowhere left to hide.

See It Stopped in Real Time.

Schedule a live technical demo and watch an in-memory attack neutralized at the kernel.

More Research