Abstract
This study provides a comprehensive examination of AtomBombing, a stealthy fileless code injection technique that leverages the Windows Global Atom Table for covert payload storage and execution. Unlike traditional injection strategies that rely on memory manipulation or file-based artifacts, AtomBombing avoids direct memory writes and operates entirely through legitimate Windows APIs, making it exceptionally evasive against modern endpoint detection and response tools. Through our proof-of-concept (PoCs) implementations, we demonstrate how adversaries could exploit atom-based payload fragmentation, double layer encoding, and time-based triggers to execute malicious tasks while minimizing forensic visibility. Building on those PoCs, we introduce ABOMB-FOD, a \mathbf{1. 2 ~ M B} multistage loader that survives reboots, bypasses user account controls, and still fits comfortably within the Atom Table capacity limits (\leq 65,535 entries +\mathbf{2 5 5} \mathbf{B} \approx \mathbf{1 6} \mathbf{~ M B}). The AtomBombing Process Orchestrator illustrates the ability to securely store encrypted payloads and orchestrate parallel execution using PowerShell, while the Atom Table Backdoor showcases persistent command-and-control behavior activated under specific system conditions. Our findings underscore the inadequacy of current security solutions in monitoring Atom Table interactions, i.e., critical API functions remain largely overlooked in behavioral analysis, despite their potential for stealthy data injection. Consistent with this blind spot, our evaluation confirms that standard defenses, including Windows Defender with cloud protection enabled, fail to detect or flag AtomBombing activity, even when ABOMBFOD or other payloads are executing and network interactions are in progress. We note that a straightforward heuristic, such as flagging any process that issues more than a certain number of GlobalAddAtomW invocations (e.g., 500) within a short time window (e.g., one minute) and stores high-entropy data, can be effective in identifying candidates for further investigation.