Actually if I remember correctly, a few years back some guys found bug in windows driver, and managed to store whole exploit/shellcode in wrongly parsed registry key (which driver parsed during boot). This could count as fileless persistent code
I don't remember who did it, or how article or poc was named. Was long time ago, if somebody remembers would be awesome to post link