The payload is injected directly into the process used for the exploitation (in our case iexplore.exe) as a new thread (instead of being a file dropped on disk) Memory-only attacks are easier to detect a piece of malware on disk than one hiding in memory. Traditional security solutions will detect the malicious payload on disk or perhaps in memory, after an exploitation has already happened. In the second part of this analysis, the attackers are hooking into an API that guarantees that the process survives when the user closes the application.”]