The fileless code injection technique called TxHollower is actively being used by not just one or two but a large number of malware families in the wild. Process Doppelg..nging is a fileless variation of Process Injection technique that takes advantage of a built-in Windows function to evade detection and works on all modern versions of Microsoft Windows operating system. Researchers at enSilo discovered at least seven distinct versions of such loader used by various malware authors. The earliest sample of the loader was used in March 2018 to distribute Netwire RAT, and then later also found bundled with multiple GandCrab versions.
Source: https://thehackernews.com/2019/07/process-doppelganging-malware.html