CactusTorch is fileless malware that executes malicious code on the infected devices.
At the time of publication, CactusTorch has been spread via drive-by-downloads. The source code has been made available on public repositories.
When executed, CactusTorch is injected into a DLL or EXE binary, which stays in memory without being written to the hard drive. It then launches a program called DotNetToJScript, which exploits vulnerabilities in Microsoft’s Component Object Model (COM) to expose some trusted .NET libraries that a typical Windows client will have. DotNetToJScript attaches .NET assemblies to the trusted libraries, which enable remote code execution.
— McAfee Labs (@McAfee_Labs) 2 August 2018
In 2018 there has been a rapid growth in the use of CactusTorch, which can execute custom shellcode on Windows system (see image below).