A systematic reference covering all eighteen malware categories — from viruses and worms to fileless threats and logic bombs — with real-world examples, detection methods, and the three-question triage framework.
⚡ Quick Bite · 20s
Viruses vs. worms, Trojans, ransomware — understanding spread mechanisms and data-lock tactics for modern cloud defence.
Watch this 20-second summary before diving into the full article. Sign in to earn 5 leaderboard points.
Malware is classified by what it does and how it spreads. In practice, these categories overlap constantly. WannaCry (2017) was simultaneously ransomware and a worm. Emotet started as a banking trojan, evolved into a spam botnet, and eventually operated as a dropper-for-hire platform. TrickBot functioned as a downloader, a credential stealer, and a lateral movement framework depending on which modules the operator loaded.
The value of taxonomy is triage speed. When an analyst sees vssadmin delete shadows /all in a Procmon log, the word "ransomware" triggers an immediate containment playbook. Classification is not about putting samples into neat boxes — it is about knowing which box tells you what to do next.
Before matching a sample against a taxonomy chart, ask three questions in order:
The answers place the sample in the right categories faster than scanning a full taxonomy table from top to bottom.
Refer to REMA eBook 2026, Figure 1.2 for the full three-question triage decision flowchart.
Parasitic: inserts its code into legitimate executables. Runs when the host file runs. Needs human action to spread (opening a file, plugging in a USB).
Run key creation.Self-propagating: copies itself across networks without a host file or user interaction. Exploits vulnerabilities or weak credentials.
.WNCRY file creation and shadow copy deletion.Deception: disguises itself as useful software. Does not self-replicate. Spread through phishing, drive-by downloads, or trojanised installers.
winword.exe → powershell.exe process chain. Email gateways flag macro-enabled attachments.Persistent access: provides a covert channel for the attacker to return after initial compromise. Often custom-built with encrypted C2.
Full remote control: desktop view, webcam, file manager, shell, keylogging.
Encrypts files and demands payment. Modern variants exfiltrate data first (double extortion).
vssadmin delete shadows. File monitoring: mass rename with new extension.Concealment: modifies OS internals (kernel drivers, boot records, or hypervisor) to hide processes, files, registry keys, and network connections.
psxview). UEFI/boot integrity verification.Surveillance: records keystrokes, screenshots, clipboard, browser history, GPS location, calls, and messages.
Captures keystrokes and often clipboard data, screenshots, and browser form fills. Exfiltrates via email (SMTP), FTP, or HTTP POST.
SetWindowsHookExA with WH_KEYBOARD_LL). Network: outbound SMTP/FTP with encoded credential payloads.Joins a command-and-control network. Awaits instructions: DDoS, spam relay, credential stuffing, cryptomining.
Hijacks browsers, injects advertisements, modifies search engine settings, collects browsing habits.
Carrier: its only job is to deliver a second-stage payload that it carries embedded inside itself.
winword.exe → powershell.exe → rundll32.exe. Memory: thread injection patterns.Same purpose as a dropper, except it fetches the payload from a remote URL instead of carrying it internally.
Operates entirely in memory. No traditional executable on disk. Abuses PowerShell, WMI, .NET reflection, or LOLBins.
bitsadmin.exe. Stole credentials from Brazilian banks.-EncodedCommand arguments. Memory forensics: injected shellcode in system processes. EDR: abnormal WMI event subscriptions.Destruction, not profit. Overwrites files, MBR, or partition tables permanently. Often disguised as ransomware.
Targets financial data: banking credentials, KYC documents, cryptocurrency wallets, credit card numbers.
Dormant until a trigger condition is met (specific date, user action, removal of an employee account). Then executes destructive payload.
Social engineering in software form. Displays fake virus alerts to trick the user into purchasing worthless "security software."
Eighteen categories is a lot to memorise. A practical shortcut: when you pick up a new sample, use the three-question triage. The answers place the sample in the right categories faster than scanning a taxonomy chart from top to bottom.
Important: Categories are not mutually exclusive. A single sample may belong to multiple entries simultaneously. WannaCry is both a worm and ransomware. Emotet shifted from trojan to botnet to dropper over its lifetime.
| Category | Primary Action | Spread Mechanism | Real Example |
|---|---|---|---|
| Virus | Parasitic infection | Host file, USB, user action | Sality |
| Worm | Self-propagation | Network exploits, weak credentials | WannaCry |
| Trojan | Deception | Phishing, drive-by, fake updates | Emotet |
| Backdoor | Covert access | Post-exploitation, supply chain | Lazarus Group |
| RAT | Full remote control | Phishing, exploit, trojanised apps | Gh0st RAT |
| Ransomware | Encrypt files | Phishing, worm, RDP brute-force | Ryuk |
| Rootkit | Concealment | Kernel driver, boot record, hypervisor | Scranos |
| Spyware | Surveillance | Zero-click exploit, targeted install | Pegasus |
| Keylogger | Keystroke capture | Phishing, bundled software | Agent Tesla |
| Botnet Agent | C2 network | Default credentials, exploits | Mirai |
| Adware | Browser hijack | Bundled installers, drive-by | Fireball |
| Dropper | Payload delivery (embedded) | Phishing, trojanised installer | Dridex |
| Downloader | Payload delivery (remote) | Email attachment, macro document | TrickBot |
| Fileless | Memory-only execution | PowerShell, WMI, .NET reflection | Astaroth |
| Wiper | Irreversible destruction | Supply chain, lateral movement | NotPetya |
| Crimeware | Financial data theft | Browser hooking | Gootkit |
| Logic Bomb | Conditional destruction | Insider threat, embedded in code | CIH/Chernobyl |
| Scareware | Social engineering | Malvertising, bundled software | WinFixer |
Sign in to mark this article as read and track your progress.