With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-based exploitation in Windows OS environments. Even if attacks are detected and malicious scripts removed, processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In this paper, we conducted an experimental study with a collected dataset on detecting PowerShell-based fileless cryptojacking scripts. The results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.
@article{arxiv.2602.18285,
title = {Detecting Fileless Cryptojacking in PowerShell Using AST-Enhanced CodeBERT Models},
author = {Said Varlioglu and Nelly Elsayed and Murat Ozer and Zag ElSayed and John M. Emmert},
journal= {arXiv preprint arXiv:2602.18285},
year = {2026}
}