Process hollowing is a stealthy malware technique where a legitimate process is launched in a suspended state, its memory is emptied, and then replaced with malicious code. The process is then resumed—appearing normal to the system and antivirus software, even though it’s now running malware.
This method is commonly used by trojans, ransomware, and fileless malware to evade detection. Because the malware runs under the name of a trusted program (like explorer.exe or svchost.exe), it’s harder for users or security tools to notice anything suspicious.
Process hollowing is a favorite in advanced persistent threats (APTs) and red-team tools due to its effectiveness at bypassing defenses.