Self-deleting malware is malicious code designed to remove itself after it has run, or after a trigger is reached. It may delete its executable, wipe temporary files, clear scheduled tasks, or terminate related processes. The goal is to reduce forensic evidence, slow incident response, and make it harder to confirm what was executed and from where.
This matters because defenders often rely on disk artifacts, hashes, and file timelines to identify compromise. If the malware erases those clues, investigators must lean more heavily on memory forensics, process telemetry, endpoint logs, and network records. In real attacks, self-deletion is often paired with in-memory execution, DLL sideloading, or short-lived loaders, so the initial payload leaves little trace. Security teams should watch for suspicious parent-child process chains, unexpected DLL loads, rapid file creation and deletion, and process exits that occur immediately after execution.



