Threat actors are continuously creating more sophisticated ways for malware to evade defenses. Researchers have observed Netwalker’s usage of reflective loading techniques and its move to fileless execution. The infection begins with a heavily obfuscated and encrypted PowerShell script. Once decoded and de-obfuscated, it identifies the system architecture in order to determine whether a 32-bit or 64-bit binary should be used. The relevant binary, embedded in the PowerShell script in hex format, is decoded and injected into the memory of the legitimate explorer.exe process. The script also performs the function of deleting Shadow Volume Copies to prevent file recovery. The Netwalker payload operates similar to previous versions. It first kills processes and services related to user documents, backup software, and anti-virus programs. Targeted files include user files; critical files are avoided to prevent rendering the system un-usable. Finally, encryption is performed and a ransom note is dropped providing instructions for paying the ransom in exchange for decryption.