“I can’t,” Maya said, her voice steady. “It’s memory-only. The old SEP would’ve missed it entirely. But 14.3 RU7 has a new feature— LiveShell Response . It can inject a reverse micro-firewall into the compromised process without killing it. We can isolate the thread, let it think it’s communicating, and trace the C2.”

Maya’s heart went cold. No file meant no backup. No quarantine. The malware wasn’t installed —it was running , living in the space between Angela’s logged-off session and the machine’s idle heartbeat.

The console was new. They’d only pushed (Release Update 7) to the production environment three days ago. The vendor promised it was their “most resilient AI-driven kernel” yet. Management had approved the update for one reason: the new Advanced Machine Learning engine could detect fileless malware before it even touched RAM.

Workstation WS-ACCT-09 (Angela Cortez, Junior Accountant – left at 6:02 PM) Target: Domain Controller DC-01 Payload type: Memory-only reflective DLL. No write. No file. No signature.

Then, Screen 4 blinked.