Process hollowing definition

Process hollowing is a code injection method that replaces parts of the code in a legitimate process without changing how it appears to work. To an outside observer, the process executes as normal, while in reality it is running malicious code. Piggybacking on legitimate processes lets attackers evade detection.

Process hollowing works by creating a new process in a suspended state, replacing its code and memory with malicious content, and resuming its execution. In most cases, process hollowing attacks propagate via malicious links in phishing emails, which make the user’s device download the malware that will hollow out legitimate processes.

See also: code injection, command injection, cyberattack

Stopping process hollowing attacks

• Never open unverified links in email messages, whether they come from friends or strangers.
• Be wary of downloading files from unverified sources.
• Restrict file sharing on devices within your organization.
• Set up firewalls to filter out potentially dangerous online traffic.
• Get a reliable antivirus and run regular malware scans on your devices.
• Update software with the latest security patches.
• Do not click on pop-ups in your browser claiming that your computer is infected.
• Use NordVPN’s Threat Protection feature to scan files for malware while they’re being downloaded.

Further reading