Which fileless malware operates in memory and can steal keystrokes and credentials?

Fileless malware stays in memory and avoids writing a persistent payload to disk, using RAM-resident techniques to perform its actions and evade detection. Astaroth is a well-known in-memory credential stealer that operates without dropping a full, persistent file to disk. It targets credentials and sensitive data from browsers and other applications, and its memory-resident approach often includes keylogging or capturing keystrokes as part of stealing credentials, making it a strong match for this description. The other options are more typically associated with traditional disk-based payloads or broader RAT/credit-stealing capabilities, rather than being defined by a memory-resident, fileless approach.