Malware: Definifion, Types, and Protection Strategies

Malware is a major threat to the security of computers, tablets, smartphones and all digital devices. Today’s cyberattacks frequently involves some type of malware. These malicious software can take many forms, from ransomware causing high damage and financial loss to simple boring adware, depending on the attackers’ objective.

Understanding these various types of malwares, their detection signals, and effective protection strategies has become essential for both individuals and organizations seeking to safeguard their digital data.

What is Malware?

Malware refers to computer code specifically created to harm digital systems, networks, and users. This malicious software enters devices without authorization to extract sensitive data, damage systems, or disrupt operations. Cybercriminals develop these programs to compromise digital security for various gains.

The National Institute of Standards and Technology defines malware as software designed with harmful intent against data, computers, or networks. Unlike legitimate applications, malware arrives through deception, hiding its true function until activated.

Virus or Malware? Spot the difference!

The terms “virus” and “malware” are often used interchangeably, though they represent different concepts.

Computer viruses constitute a specific subset of malware characterized by self-replication and attachment to legitimate files or programs. Much like biological viruses require host cells, computer viruses need host programs to spread. Malware, in contrast, serves as the broader category covering all forms of malicious software, including viruses, worms, trojans, and ransomware.

This distinction emerged as threats diversified beyond the early virus-dominated era. By the mid-2000s, IT professionals had widely adopted “malware” as the standard terminology to reflect the growing variety of digital threats that didn’t rely on traditional viral spreading mechanisms.

Why Do Cybercriminals Use Malware?

Cybercriminals deploy malware for numerous strategic purposes, with financial motivation ranking as the primary driver.

Attackers target personal credentials such as usernames, passwords, banking information, and Social Security numbers to facilitate identity theft and fraud.

Ransomware attacks represent a direct approach to monetary gain, with criminals encrypting vital data and demanding payment for restoration. Many attackers profit by gathering and selling sensitive information on dark web marketplaces, where personal data commands significant prices.

Beyond financial targets, malware serves as a tool for intellectual property theft, particularly against research institutions and corporations with valuable proprietary information. Nation-state actors and corporate spies use sophisticated malware to conduct espionage operations against governments and businesses.

System disruption constitutes another common objective, with attackers seeking to disable critical infrastructure or business operations. Malware can commandeer computing resources to form botnets—networks of compromised machines used for distributed denial-of-service attacks, spam distribution, or cryptocurrency mining without owner consent.

The tactics employed to achieve these goals include data exfiltration techniques, credential harvesting, system lockouts, network resource destruction, and botnet command operations. These methods often work in combination, with initial infections establishing footholds for additional malicious activities.

What Are the Main Types of Malware?

Malware can take many forms, each designed with specific attack methods and objectives.

In 2024, The distribution of malware types was as follows:

Ransomware

Ransomware is malicious software that blocks access to a computer or its files by encrypting them and demanding that the victim pay a ransom to regain access.

In many cases, cybercriminals exploit known vulnerabilities in software whose patches have not been updated, but ransomware can infiltrate in different ways:

• after opening a fraudulent attachment or malicious link received by e-mail ;
• when browsing compromised sites;
• following a computer intrusion on the victim’s system.

Ransomware encrypts valuable files and demands payment for decryption keys, effectively holding data hostage. Modern variants often implement “double extortion” tactics, threatening to publish stolen information if ransom demands remain unpaid.

Ransomware example: The ELENOR-Corp group uses Mimic ransomware to target healthcare organizations, encrypting data and demanding ransom.
ELENOR-Corp ransomware group attacks the healthcare sector

Backdoor

A backdoor is a malicious program used to give hackers unauthorized remote access to an infected computer by exploiting system vulnerabilities.

Backdoors establish concealed entry points into compromised systems, allowing attackers to bypass normal authentication and maintain persistent access regardless of password changes or security updates. These stealthy components often install following initial compromise through other malware types, creating long-term access for future exploitation.

Backdoor example: PondRAT malware disguised as legitimate Python packages was used to install backdoors in developer systems for remote access. 
PondRAT backdoor hidden in Python packages hits developers

Web Shell

A web shell is a malicious script or program implemented by attackers on a web server to enable remote access and control. It functions as a backdoor, enabling unauthorized persons to execute commands, download and upload files, and manipulate the server.

These lightweight but powerful tools maintain a minimal footprint while enabling extensive server manipulation through a web browser interface.

Web shell example: Threat actors exploited Citrix NetScaler flaws to implant web shells and maintain hidden system access.
Vulnerabilities found in 1,900 Citrix NetScaler devices

Remote Access Trojan (RAT)

Remote Access Trojans (RAT) are malware designed to allow an attacker to remotely control an infected computer, including the mouse and keyboard, access to files and network resources.

RAT can infect computers via e-mail, be hosted on a malicious website or exploit a vulnerability in an unpatched machine.

Instead of destroying files or stealing data, a Trojan gives attackers complete control of a computer or mobile device, so they can silently browse applications and files, and bypass common security measures such as firewalls, intrusion detection systems and authentication controls.

RAT example : A memory-resident RAT built with PowerShell, spreading via a malicious Microsoft Word document sent as an email attachment, which communicates via DNS TXT records, making it difficult to detect.
New Powershell Remote Access Trojan Identified

Infostealer

An infostealer is a type of malware designed to penetrate computer systems and steal sensitive information. This may include login information (logs: passwords, e-mail addresses, browser history…), financial information or other personal data.

Often sold as Malware-as-a-Service (MaaS), the infostealer is a discreet tool that often goes undetected. Its strength lies in its ability to infiltrate computer systems without the owners being aware of its presence. The hacker’s aim is not to spy on the user in real time, but rather to retrieve all the interesting information present on the device, exfiltrate it and then disappear without a trace.

Infostealers are often used to gain access points and infiltrate networks. This enables attackers to gain access to computer systems for further attacks, such as ransomware. Recovered connection data can also be resold on darkweb marketplaces.

Cryptominer / Cryptojacking

Cryptojacking is a type of cyberattack in which a cybercriminal hijacks a computer or mobile device with a cryptominer to use its processing power to mine cryptocurrencies.

Unlike other types of malware, cryptominers don’t damage victims’ computers or data, but they do steal computer processing resources. This malware runs silently in the background, causing system slowdowns, increased power consumption and premature hardware deterioration due to intensive processing.

Cryptominer is usually installed on computers via a malicious link sent by email, through infected websites or online ads using self-executing JavaScript code to load mining code.

Cryptominer example: A large-scale campaign based on the Dofoil Trojan deployed a cryptominer on over 500,000 PCs in just 12 hours to extract Electroneum while avoiding detection.
500k PCs Infected with Cryptominer in 12 Hours by Dofoil Trojan

Maldoc

Maldocs (malicious documents) appear as legitimate files, but contain hidden malicious code designed to compromise systems when opened. These weaponized files circulate via compromised websites, e-mail attachments or file-sharing networks. They generally take the form of common working formats such as Word documents, PDFs, Excel spreadsheets or PowerPoint presentations…

What makes maldocs particularly effective is their familiar appearance, combined with the exploitation of trusted software. When opened, these documents execute embedded scripts to trigger the installation of malware.

While some maldocs require user interaction, such as the activation of macros, others exploit zero-day vulnerabilities requiring no additional authorization. The resulting infection can establish communication channels with the attacker’s infrastructure, download additional payloads or create persistence backdoors for long-term access.

Maldoc example: A malicious Word document with Python-based macros targeted MacOS systems to download encrypted malware payloads.
Malicious Word Macros Responsible for Spreading MacOS Malware

Worms

Worm is a type of malware capable of spreading or reproducing itself automatically without human interaction, enabling it to spread to other computers on a network. Unlike traditional malware that requires user’s action, worms infiltrate autonomously, using vulnerabilities to exploit systems.

Computer worms are defined by this ability to spread without user intervention. Once they have gained access to a computer, they can perform malicious actions.

Worms most often spread by exploiting unpatched vulnerabilities in software and operating systems or unsecured access protocols, through network drives and other access shared between several computers, or via removable media (USB sticks and external hard drives).

Worms are classified according to the way they spread from one machine to another. The most common are :

• E-mail worms: spread by sending e-mails containing malicious attachments.
• P2P worms: use peer-to-peer (P2P) networks to copy themselves onto other network users.
• Network worms: spread over the network using shared resources such as network drives.
• Instant messaging worms: spread via instant messaging such as Skype, WhatsApp, or Facebook Messenger by accessing an infected user’s contacts.
• Internet worms: infect websites and the computers that visit them by exploiting web browser vulnerabilities.

Worm example: Emotet, a network worm, infected a school district's systems, leading to significant financial loss due to its rapid propagation and data theft capabilities.
Rockingham School District loses $314,000 to Emotet malware

Malicious Bot

By definition, a bot is automated software that performs predefined tasks, usually on a network. A malicious bot is automated malware whose purpose is to infect a system, steal data or commit other fraudulent activities.

Malicious bots can be coordinated to conduct distributed denial-of-service attacks (DDoS), break into user accounts, send spam, distribute additional malware, or perform other malicious activities at scale.

A botnet refers to a network of computers infected by a malware bot, remotely controlled by a single hacker to carry out several coordinated actions simultaneously. The scale of a botnet (often made up of thousands to millions of bots) enables it to carry out large-scale attacks that would be impossible with simple malware.

Bot example: The dismantling of a botnet compromising SOHO routers has put an end to a stealth network used for espionage and access to US critical infrastructure systems.
FBI Targets Chinese KV Botnet in Cybersecurity Crackdown

Other Common Types of Malware

Keyloggers

A keylogger or keystroke logger is malware that infects a device to record the user’s keystrokes. Often placed on a computer when an infected application is downloaded, it enables the hacker to collect the credentials and other important information of a targeted user via a command and control (C&C) server. If programmed to do so, it can also spread to other devices in contact with an infected computer.   

Rootkits

A rootkit is malware designed to enable hackers to access and control a target device in order to steal personal data and financial information, install malware or use computers as part of a botnet. It needs an infection vector to spread and install itself, often using Trojans or exploiting operating system vulnerabilities. Although most rootkits affect software and the operating system, some can also infect your computer’s hardware and firmware. Rootkits are able to conceal their presence, but although they remain hidden, they are always active.

Exploits

A computer exploit is malware that takes advantage of a security vulnerability in a software program, application or computer OS to gain illicit access to a system. These vulnerabilities are hidden in the code of the operating system and its applications, and exploits can be classified into several types, each with its own characteristics and methods of operation. The most common types are zero-day exploits, denial-of-service exploits and direct-access exploits. This type of attack often begins with spam and drive-by downloads. It encourages victims to open an infected attachment or click on links that redirect to a malicious website containing exploit code designed to take advantage of application weaknesses.

Spyware

Spyware is malware that infects a device to collect data and send it to hackers. It infects a device through conventional methods (attachments, malicious links, fraudulent sites, etc.) to gain access to personal information such as login credentials, financial details, or personal data, while operating invisibly in the background. This sensitive information is then resold to data companies, advertisers and other third-party users. Some variants provide remote access capabilities, allowing attackers to control the compromised device.

Adware

Short for “advertising supported software”, adware is malware that secretly installs itself on a computer to display unwanted ads and pop-ups on the screen. Often embedded within a free download or free application, adware can collect data and track user’s online behavior to display personalized content. While not primarily defined by their dangerous nature, adware slows down browsers and device operation, is unpleasant for users and can serve as a gateway for cybercriminals.

Fileless Malware

Fileless malware is malicious code that runs directly in a computer’s memory (i.e. RAM) rather than on the hard disk of a computer. Unlike conventional malware, no code is installed on the target system by the cyber attacker, making detection more difficult. Upon system reboot, this malware typically disappears from memory, complicating forensic analysis. This technique, which uses native tools to carry out a malicious attack, is known as “living off the land” (LOTL).

Image credit: janews094, AdobeStock