What Is a Trojan: Types, Real Examples and How to Remove It

A trojan is malware disguised as a legitimate program that, once executed, operates in the background without the victim noticing. Typical actions: install more malware, capture credentials, grant remote access to the attacker or exfiltrate data. It owes its name to the Trojan horse in the Iliad: harmless looking on the outside, hostile content on the inside. Unlike viruses or worms, a trojan doesn't propagate on its own; it depends on the user executing it.

This guide explains what a trojan actually is, the seven types appearing again and again in forensic investigations (RAT, banker, downloader, dropper, backdoor, rootkit, info-stealer), documented real examples (Emotet, Trickbot, Agent Tesla, Qakbot, AsyncRAT), how it gets distributed in 2026, what it chains afterwards and what steps to follow to remove it from a machine or a compromised corporate network.

What a trojan is

A trojan is a program that passes itself off as legitimate or useful software so the user executes it, hiding a malicious functionality that activates afterwards. The key difference with other malware is this: the trojan doesn't replicate on its own, doesn't exploit system vulnerabilities to spread. It needs social engineering.

What a trojan does once inside depends on the module it carries:

• Opens an outbound connection to a command and control (C2) server and hands remote control to the attacker.
• Downloads another more specialised piece of malware (ransomware, stealer, miner).
• Captures banking or corporate credentials via keylogging, form-grabbing or screen scraping.
• Steals files, browser sessions, SSH keys, crypto wallets.
• Installs persistence to survive reboots.
• Modifies system configuration to disable antivirus or reduce defences.

In most professional incidents we investigate, the trojan is the initial piece of a longer chain: social engineering or pharming, trojan, internal reconnaissance, credential theft, privilege escalation and finally ransomware or exfiltration. That chain marks the difference between a minor incident and a catastrophic one.

Trojan types

Seven categories cover practically everything that appears in production.

Remote access trojan (RAT)

Gives the attacker remote control of the machine. Typical functionality: shell, file manager, screen capture, microphone, webcam, command execution. Documented families: AsyncRAT, NjRat, RemcosRAT, QuasarRAT, AveMariaRAT. Many get sold as monthly subscriptions in underground markets for under $50.

Main risk: the human operator behind it can pivot laterally and maintain presence for months without triggering crude alerts.

Banking trojan (banker)

Specialised in stealing credentials and online banking data. Combines form-grabbing, web injects (modifying the bank page HTML to add fake fields) and, increasingly, MFA and SMS token capture. Classic families: Zeus and derivatives (Citadel, Atmos), Trickbot, IcedID, Qakbot, Dridex, Emotet in its banker phase.

In 2026 many bankers have evolved to generic information stealers because of the profitability of stealing corporate credentials and reselling them to ransomware operators.

Downloader trojan

Single function: download another piece of malware from a server controlled by the attacker. Small, stealthy, with no malicious functionality of its own beyond the download, which makes many antivirus signatures let it through. Once it executes the binary it brings, it deletes it to reduce traces.

Dropper trojan

Variant of the downloader that instead of downloading carries the payload embedded inside itself. Bigger, less dependent on connectivity, useful in environments without direct outbound access.

Backdoor trojan

Creates a persistent back door: new account with elevated privileges, firewall rule that opens a port, new service listening for connections, SSH key added to authorized_keys. The operator connects whenever they want, without needing an exploit.

Rootkit trojan

Modifies the operating system (kernel, drivers, hooks) to hide its own presence and that of associated processes. Very hard to detect with standard tools and removing them usually requires full OS reinstall. Documented cases: Stuxnet (industrial sector, 2010), TDSS/Alureon, ZeroAccess.

Info-stealer trojan

Most active category in 2024-2026 underground markets. Steals whatever it finds and closes: browser cookies, saved passwords, Discord/Telegram sessions, cloud configuration files (.aws, .kube), crypto wallets, screen captures. Families: RedLine, Vidar, Raccoon, Lumma Stealer. The output gets sold immediately in markets like Russian Market or processed to fuel subsequent attacks.

Documented real examples

The names appearing most in recent forensic reports in Spanish enterprises.

Emotet. Started as a banker in 2014 and evolved to "loader as a service": delivered Trickbot and Ryuk to whoever paid. Dismantled in 2021 by Europol with NL/DE/UA coordination, resurrected in 2022 and fell partially again. The methodology (phishing campaigns with Office documents and macros) gets replicated in current families.

Trickbot. Banker turned into a modular platform to deliver ransomware (Conti, Ryuk). Investigation coordinated by Microsoft and US Cyber Command disrupted its infrastructure in 2020. Its operators migrated to other frameworks.

Agent Tesla. Commodity stealer sold on forums since 2014. Massively distributed via phishing to Spanish corporate accounts. Steals credentials from browser, email client, FTP, SSH and exfiltrates via SMTP, FTP, Telegram or HTTP.

Qakbot (Qbot). Banker that evolved to loader. Partially dismantled by the FBI in 2023 (Operation Duck Hunt). Its operators pivoted to lesser-known families like Pikabot.

AsyncRAT and NjRat. Commodity RATs appearing in any campaign without a specific target, distributed by low-budget affiliates. Very detectable by serious EDRs but effective on unprotected endpoints.

RedLine Stealer and Vidar. Stealers dominating 2024-2026 credential markets. Corporate credentials appearing in underground marketplaces mostly come from here. Ransomware operators buy fresh combolists for initial access.

How it gets distributed in 2026

Realistic vectors, ordered by frequency in incident investigations in Spain:

• Phishing email with malicious attachment. Office document with macro, HTA file, password-protected ZIP with executable inside, OneNote with script, ISO or IMG mountable that bypasses Mark of the Web. Still vector number one.
• Email with link to malicious site. Shortened link, site mimicking SharePoint or corporate portal, drive-by download posing as an Adobe, Zoom or other common software installer.
• Pirated software, cracks, "cheats". Users downloading a keygen or crack get an embedded info-stealer. Dominant vector for trojans affecting individuals and personal devices connecting to corporate networks.
• Malvertising. Malicious ads served through legitimate networks. The user searches "Notion download" on Google, clicks the sponsored ad and downloads a trojan disguised as an installer.
• Supply chain compromise. A provider distributes an installer with an added module. SolarWinds (2020), 3CX (2023), XZ utils (2024).
• Malicious USB left in a car park or handed out at events. Rare vector but documented, especially against specific organisations.
• Instant messaging. Telegram, WhatsApp and Teams with malicious files or links to download pages. Growing in 2024-2026 as email defences improve.
• Fake updaters and browser notifications. "Your Chrome is outdated, download this patch". Pop-ups that the inexperienced user runs.

The constant: social engineering. Without a human running the binary, the trojan doesn't get in.

Detection with defensive controls

Seven fronts that cover a modern trojan.

Traditional antivirus (NGAV). Detects signatures of known families. Effective against unobfuscated commodity; less against variants packed with polymorphism.

EDR / XDR. Detects behaviour. Patterns that trigger alerts: unknown process writing to Run in the registry, executable created in %AppData% and then executed, outbound connection to an IP without reputation, base64 decoded and executed. Detail in what is an EDR.

Attachment sandbox. Before delivering the email, the attachment runs in a controlled sandbox and behaviour gets observed. Detects what static signatures don't see.

Network monitoring. Anomalous DNS traffic (DGA, DNS tunneling), HTTPS connections to recently registered domains, periodic beaconing characteristic of C2. Detectable with a well-configured SIEM and public Sigma rules.

Identity EDR. Detects anomalous use of credentials (logins from unusual geolocation, unusual hour, new device) indicating prior theft even if the trojan wasn't captured.

Threat hunting. The proactive hunt for C2 patterns, persistence and lateral movement when they haven't triggered automatic alerts is part of mature threat hunting.

Email-side protection. Default Office macro blocking (Microsoft 365 policy since 2022), executable attachment blocking, link filtering, sandbox detonation before delivery. Most avoidable incidents get avoided here.

How to remove a trojan

If the suspicion is about an isolated personal machine:

1. Disconnect from the network immediately to prevent lateral movement or exfiltration.
2. Don't reboot repeatedly trying to "clean". Some trojans persist in memory and take advantage of the reboot to reinstall from persistence.
3. Boot into safe mode (Windows) or recovery environment.
4. Scan with two different antivirus from your usual provider: ESET, Malwarebytes, Bitdefender. The combination catches what one alone doesn't.
5. Review persistence manually: Run registry, scheduled tasks, services, Startup folders, winlogon\\Shell, Local GPO. Classic tool: Sysinternals Autoruns.
6. Change passwords from a clean machine: main account, bank, email, social networks, corporate platforms.
7. Review recent authentications on each critical service to detect unauthorised access.
8. If it's a work device, contact the security team before further manipulation.

For corporate environments or suspected broad infection:

1. Isolate host from EDR (network, login, neighbouring hosts).
2. Don't shut down the machine: memory contains valuable forensic evidence.
3. Memory and disk capture in forensic format (FTK Imager, Belkasoft Live RAM Capturer).
4. IR analysis: review timeline, process tracking, connections, registry, prefetch, journals.
5. Credential rotation for any account that touched the host.
6. Clean OS reinstallation. Faster and safer than trying to clean; in many cases the only legally defensible option.
7. Hunting across the rest of the network for IoCs derived from the analysis (hashes, C2 domains, mutex, registry keys).
8. Notification if applicable: to the Spanish Data Protection Agency within 72 hours if personal data is affected, to the NIS2/DORA sectoral authority where appropriate, to CCN-CERT or INCIBE-CERT.

Compliance fit

Trojan risk management covers direct points in current frameworks:

• NIS2 (article 21). Risk management measures, including protection against malicious software. Incident notification within 24/72h.
• DORA (article 9). ICT requirements for financial services. Malware detection and response are explicit.
• ISO 27001:2022 (control 8.7). Malware protection. External audit requires documented processes.
• ENS Royal Decree 311/2022 (op.exp.6). Malicious code protection, different by system level.
• PCI DSS v4.0 (req. 5). Mandatory anti-malware on systems processing card data.
• GDPR. An infection with personal data exfiltration is a notifiable breach.

Frequently asked questions

What's the difference between virus and trojan?

The virus replicates on its own, infecting other files or systems. The trojan needs the user to execute it and doesn't replicate by itself. The classic distinction has blurred in 2026 because most modern malware mixes techniques, but the nuance matters to understand the entry vector: blocking user execution is what stops a trojan, not patching the system.

Can a trojan infect mobile phones?

Yes. There are specific families for Android (Anubis, Cerberus, FluBot) and, to a lesser extent, for iOS (rarer due to the closed model). They arrive via malicious APKs downloaded outside the Play Store, SMS messages with a link, fraudulent ads. The main defence is not installing outside official stores and keeping the system updated.

Does my antivirus protect me for sure?

Modern antivirus stops most commodity trojans. Recent, obfuscated or targeted variants only get stopped by EDRs with behavioural detection. For an enterprise, the reasonable minimum in 2026 is EDR (not traditional antivirus) on every endpoint, with operational response.

Can a trojan survive a Windows reinstall?

Almost never. Only advanced rootkits with UEFI persistence, disk firmware persistence or supply chain compromise can survive. For a normal user, formatting and reinstalling cleans the machine. The exception is if the installation image used is already contaminated.

How long can pass between infection and detection?

A long time. Median detection time (dwell time) in recent reports (Mandiant M-Trends, IBM Cost of a Breach) sits between 10 and 200 days depending on sector and maturity. In companies with a well-run SOC, hours. In companies without EDR, months without noticing.

Why do some trojans come signed with a valid certificate?

Attackers get code signing certificates two ways: they steal private keys from legitimate companies (Stuxnet carried stolen Realtek and JMicron certificates) or create shell companies to buy certificates with false identities. When the trick gets discovered, it gets revoked; meanwhile, it bypasses controls trusting code signing.

Can a trojan use the GPU or CPU to mine crypto?

Yes, it's a separate category called cryptojacker. Some modern trojans carry a miner as an optional module that activates if the endpoint meets conditions (power, idle time, affordable electricity). The typical signal is sustained CPU/GPU usage rise without visible cause and temperature increase.

Related resources

• Types of malware: broader family where trojans sit alongside viruses, worms, ransomware, spyware and rootkits.
• What is ransomware: the scenario many trojans serve as initial access to.
• What is an EDR and what is MDR: controls that stop modern trojans on endpoints.
• What is threat hunting: the discipline hunting those that escape automated detection.
• Kerberos attacks in Active Directory: the typical subsequent phase when a trojan captures privileged credentials in a Windows environment.

Trojan defence at Secra

At Secra we address trojan risk on two fronts: on one side, Red Team exercises that validate whether defensive controls detect real campaigns (targeted phishing plus payload delivery with current TTPs) on endpoints, identity and network; on the other, audit of EDR configuration, macro policy, MFA rollout, privilege segmentation and user training to reduce the double-click that opens the door. The usual deliverable is a per-user and per-machine risk map with priorities. If you want to understand how long you'd last against a realistic campaign combining phishing and trojan against your staff, get in touch via contact.