Trojan horse is the umbrella term for malware that "disguises itself as legitimate software so the user installs it themselves". The Homeric idea of "make the enemy open their own gates" maps directly to the modern attack model of "make the user click the install button". A Trojan doesn't self-replicate and doesn't need a vulnerability, so infection can succeed even on a perfectly patched system. The first step is always a user judgment error — and that is precisely why Trojans have remained a primary attack surface for over 35 years. This article goes from classification through delivery vectors, the attack chain, persistence, representative incidents, the MaaS ecosystem, and layered defense.
Where Trojan fits in the malware taxonomy #
News articles often use "virus", "malware", "Trojan", and "ransomware" interchangeably, but technically there is a clear distinction in function and behavior. It's also routine for a single piece of malware to belong to multiple categories at once (e.g. WannaCry = Worm + Ransomware).
Classification by spreading method #
| Type | How it spreads | Examples |
|---|---|---|
| Virus | "Parasitizes" other legitimate files and runs when the host runs | ELK Cloner, CIH, Brain (classic, rare today) |
| Worm | Self-replicates, spreads automatically over the network, no user action needed | Morris, Slammer, Conficker, the worm part of WannaCry |
| ★ Trojan | Disguises itself as legitimate software; the user runs it themselves; no self-replication | Zeus, Emotet, Trickbot, Cobalt Strike (commercialized) |
Classification by purpose (what gets carried inside the Trojan) #
| Type | What it does | Examples |
|---|---|---|
| Backdoor / RAT | A back door for remote control by the attacker — screen / keys / files | Cobalt Strike, NjRAT, Quasar, Sliver |
| Ransomware | Encrypts files → ransom; usually delivered by a Trojan | WannaCry, LockBit, REvil, Conti, BlackCat |
| Spyware / Stealer | Steals credentials, crypto wallets, cookies, etc. | RedLine, Vidar, Lumma, Pegasus (mobile) |
| Cryptominer | Mines cryptocurrency on the victim's CPU/GPU, stealing electricity | XMRig (Monero), CoinHive (browser) |
| Banking Trojan | Rewrites banking sites, hijacks auth, form-grabs | Zeus, Trickbot, Dridex, Emotet, QakBot |
| Botnet client | Turns the host into a zombie used for DDoS and spam | Mirai (IoT), Necurs, Emotet, Mozi |
| Rootkit | A concealment layer inside the OS that hides other malware | Stuxnet, ZeroAccess, LoJax (UEFI) |
| Dropper / Loader | First-stage; pulls in subsequent payloads | Emotet, IcedID, BumbleBee, SmokeLoader |
"Virus / Worm / Trojan" classify by how it spreads. "Ransomware / Stealer / RAT" classify by what it does. Both axes apply simultaneously. WannaCry is ransomware AND a worm. Emotet is a Trojan AND a Banking Trojan AND a Botnet client AND a Loader — overlapping membership is the norm.
Functional sub-types of Trojans — by the criminal's economic goal #
A finer breakdown of Trojan functionality lines up directly with the criminals' economic goals:
| Sub-type | Target | Representative families |
|---|---|---|
| Banking Trojan | Online banking credentials, 2FA codes, wire transfers | Zeus (2007), SpyEye, Trickbot, Dridex, Emotet, QakBot, IcedID |
| InfoStealer | Browser-saved passwords, cookies, crypto wallets, Discord/Steam tokens | RedLine, Vidar, Lumma, Raccoon, AZORult, MetaStealer |
| Ransomware (family) | Encrypt files → ransom for decryption key | LockBit, ALPHV/BlackCat, Conti, REvil, Royal, Akira |
| RAT | Complete remote control (screen/camera/mic/files/commands) | Cobalt Strike, Sliver, NjRAT, Quasar, Remcos, AsyncRAT |
| Dropper / Loader | First-stage payload — pulls in subsequent stages | Emotet (largest today), BumbleBee, GootLoader, IcedID, SocGholish |
| Cryptominer | Mines Monero on CPU/GPU (passing electricity and heat onto the victim) | XMRig (abused OSS), Lemon Duck |
| Botnet client | A foothold for DDoS / spam / stealer distribution | Mirai (IoT), Necurs, Emotet, Mozi |
| Spyware (state-grade) | Continuous surveillance of journalists, activists, politicians | Pegasus (NSO Group), FinFisher, Predator (Intellexa) |
Emotet performs initial access, pulls in Trickbot, Trickbot reconnoiters Active Directory with BloodHound, and the chain ends with Ryuk / Conti for encryption — that multi-stage attack chain is now standard. Division of labor has reached the point where Initial Access Brokers (IABs) sell "initial intrusion" as a specialty.
Delivery vectors — the 2026 reality #
How a Trojan reaches a user's PC has changed dramatically over the past decade. With Office macros sealed by default (Microsoft 2022) and broader OS hardening, the old methods stopped working — and new delivery vectors have steadily emerged in their place.
- Phishing email attachments — still the overwhelming #1.
.docm(macro-bearing Word) is in decline, replaced by.iso/.lnk/.one(OneNote) /.svg/ HTML smuggling - HTML smuggling — HTML inside the email assembles a zip via in-browser JS, so EDR can't catch it as a file attachment
- Malvertising — paid ads at the top of search results that impersonate "official software download" pages (PuTTY, Notion, OBS, VS Code all have many fake-ad cases). Google Ads has repeatedly failed to clean these up
- Pirated / cracked software — Adobe / Office / game cracks come with Trojans bundled in. "Free things you find" always carry risk
- Vishing (voice phishing) — "This is IT support, your PC has been compromised". Attackers operate legitimate remote-access tools like AnyDesk / TeamViewer
- USB drops — leaving a USB labeled "Payroll 2026" in a parking lot. The classic still works against enterprise targets
- Drive-by download — infected by visiting a page, via a browser vulnerability. Sandboxing made this hard but zero-days still get there
- Supply chain — poison a legitimate software's update mechanism to ship to every customer. SolarWinds Sunburst (2020) / 3CX (2023) / XZ utils backdoor (2024) are the representative cases
- Living off Trusted Sites — abusing GitHub / Discord / Telegram / Cloudflare R2 / AWS S3 as malware delivery and C2 channels
The attack chain — a miniature MITRE ATT&CK #
Walking a Trojan's behavior in MITRE ATT&CK Tactics order lays out the path from "the click" to "ransomware fires":
Average time from Initial Access to Lateral Movement (CrowdStrike 2024): 62 minutes, down from 84 the previous year. If detection slips, the entire AD domain can be owned in days or weeks, and ransomware can be triggered to encrypt the data. By the time it's noticed, damage has already spread.
Where to stop it #
- Stages ①–② — email filtering / macro disablement / no pirated software / Application Allowlisting (most effective)
- Stages ③–⑤ — EDR behavioral detection / blocking C2 domains at the proxy (the modern battleground)
- Stages ⑥–⑨ — LSASS protection / network segmentation / Tier management / honey tokens
- Stage ⑩ — almost always too late. Restoring from backup is the last line of business continuity
Persistence and evasion — the moving parts #
The biggest challenge for malware is "surviving a reboot". The Windows persistence (Persistence) catalogue, shown with Registry examples:
# 1) Registry Run keys (the classic — and the easiest to find)
> reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v evil /d C:\Users\Public\evil.exe
# 2) Scheduled Task — fire at logon
> schtasks /create /tn "Updater" /sc onlogon /tr C:\evil.exe
# 3) Service — resident as SYSTEM via sc create
> sc create EvilSvc binPath= C:\evil.exe start= auto
# 4) DLL hijacking — drop a malicious DLL in the path a legit EXE searches
# 5) COM hijacking — rewrite a COM CLSID in the Registry
# 6) WMI Event subscription — periodic execution via WMI events (hard to detect)
# 7) Bootkit / UEFI rootkit — runs before the OS even starts (LoJax, MoonBounce, BlackLotus)Classic Defense Evasion #
- Packer / Crypter — UPX / Themida / commercial packers encrypt the code and unpack at runtime to evade AV signatures
- Polymorphic / Metamorphic — transform the code on every infection so signatures don't match
- Code-signing certificate abuse — sign with a stolen legitimate vendor cert (Stuxnet used Realtek / JMicron certs)
- Process injection / hollowing — inject the attacker's code into legitimate processes like
explorer.exeandsvchost.exe - LOLBins (Living off the Land Binaries) — use legitimate system tools like
powershell,mshta,certutil,regsvr32,rundll32,bitsadminto do what malware would do (catalogued at LOLBAS Project) - Sandbox detection — look at VM / sandbox tells (low RAM, accelerated sleep, specific drivers) and self-terminate
- Sleep / Stalling — wait hours or days before doing anything, defeating short-window sandbox analysis
Historical landmark Trojans #
| Year | Name | Notable for |
|---|---|---|
| 1989 | AIDS Trojan (PC Cyborg) | World's first ransomware. Floppy delivery, encrypts HDD filenames, $189 ransom |
| 1998-99 | Sub7 / BackOrifice | RAT pioneers. The moment "hacking" entered pop culture |
| 2007 | Zeus (Zbot) | The king of Banking Trojans. Source code leak (2011) produced an explosion of forks (Citadel, Gameover Zeus, etc.) |
| 2010 | Stuxnet | State-grade. 4 zero-days + Realtek/JMicron signing + tampering with Siemens PLCs — physically destroyed Iranian centrifuges, the first publicly known cyber weapon |
| 2014 | Emotet | Started as a Banking Trojan, evolved into a malware-delivery platform. Taken down by Europol in 2021, returned in 2022 |
| 2016 | Mirai | IoT botnet. Infected 600,000+ Wi-Fi cameras and DVRs; the Dyn DDoS knocked Twitter / Reddit / GitHub offline |
| 2017 | WannaCry / NotPetya | Worm + ransomware built on EternalBlue (NSA leak). 150 countries, 200,000+ machines; took down UK NHS / Maersk / FedEx |
| 2018- | TrickBot / Ryuk / Conti | The Emotet → TrickBot → Conti multi-stage chain becomes industry standard |
| 2020 | SolarWinds Sunburst | Supply-chain attack — malware planted in the SolarWinds Orion update breached 9 U.S. federal agencies |
| 2021 | Pegasus exposé | NSO Group's commercial spyware. Zero-click exploits on the phones of journalists, activists, politicians |
| 2023 | 3CX supply chain | North-Korea-linked malware injected into a 3CX VoIP software update. Potential reach: 590,000 enterprise customers |
| 2024 | XZ utils backdoor (CVE-2024-3094) | An attacker embedded for two years as an OSS maintainer to plant a liblzma backdoor — caught moments before an SSH-auth bypass would have landed in every Linux distro |
| 2025 | GootLoader / SocGholish resurgence | SEO-poisoned JS loaders disguised as "contract template" downloads come back into fashion |
Far from fading, Trojans have only become more sophisticated over 35 years. Supply-chain attacks are particularly hard to defend against, and the XZ utils incident (2024) almost succeeded in planting a backdoor in nearly every Linux system on Earth — a fact that shook the industry. The fundamental problem of "what do you do when the maintainer can no longer be trusted?" remains unsolved.
Malware-as-a-Service and the modern ecosystem #
The model has evolved from "a single hacker writes and distributes" into a commercial ecosystem with proper division of labor — structurally similar to the software industry itself.
- MaaS (Malware-as-a-Service) — the author rents malware out to other criminals for a monthly or per-use fee. RedLine Stealer is $200/month, LockBit takes 20% of the ransom for the author
- RaaS (Ransomware-as-a-Service) — the specialized form. "Affiliates" handle intrusion; encryption and negotiation are run by HQ
- IAB (Initial Access Brokers) — brokers who trade "a foothold into Company X's internal network (RDP/VPN credentials)" for $1,000–$50,000. Russian Market / Genesis Market and similar forums
- Stealer logs (combo lists) — "URL + ID + password" sets pulled from infected hosts, $2–$20 per bot
- Crypter / Packer services — "we will pack your malware so AV can't detect it", offered on subscription
- Bullet-proof hosting — servers (mostly) shielded from law enforcement. Heavily based in Russia, Eastern Europe, and China
"Buy initial access from an IAB, encrypt via RaaS, buy stealer logs separately" — this fully divided economy is what enables $50M+ ransom attacks. Both MGM Resorts (2023, $100M+ in losses) and Change Healthcare (2024, $22M ransom + $872M in losses) were born from this model.
Defense — the one root rule, plus layered defense #
"Don't run untrusted code" is the only true root defense. Expecting perfect judgment from ordinary users is unrealistic, so layered defense is the standard form.
| Layer | Content |
|---|---|
| Email filtering | Restrict attachment types (.exe .iso .one .lnk .html) / sandbox inspection / SPF/DKIM/DMARC |
| Browser / OS sandbox | Chrome/Edge site isolation / Windows Sandbox / macOS Gatekeeper / Linux non-root operation |
| Macro / scripting restriction | Office macros off by default (Microsoft 2022 standard) / PowerShell Constrained Language / WSH disabled |
| EDR | CrowdStrike Falcon / Microsoft Defender for Endpoint / SentinelOne — behavior-based detection |
| Application Allowlisting | AppLocker / WDAC / Gatekeeper / SELinux blocking anything not on the allowlist (strongest, heaviest to run) |
| Multi-factor authentication (MFA) | Even if a password is stolen, auth won't go through. Caps the damage from stealers |
| Privilege separation | Run as non-admin; elevate temporarily with sudo; isolate Tier 0 accounts |
| Network segmentation | VLAN splitting / Zero Trust / micro-segmentation to suppress lateral movement |
| Block C2 traffic | Proxy-side blocking of known C2 domains / DNS filtering (Quad9, Cloudflare 1.1.1.2) |
| Backups + immutable storage | The last line against ransomware. 3-2-1 rule + offline / write-once copies |
| Patch management | Auto-updates for browsers / OS / business apps close off delivery vectors |
(1) Don't open email attachments by default / (2) Keep OS and browser auto-update on / (3) Enable MFA (authenticator app) / (4) Don't install pirated or cracked software / (5) Keep MS Defender / macOS XProtect / Linux ClamAV active — these alone neutralize 90% of Trojan attacks.
Analysis approach — when a suspicious file shows up #
The analysis workflow when a suspicious file (an odd email attachment, an unknown exe found on a shared PC) lands in your hands:
| Method | Tools | What you learn |
|---|---|---|
| Online scan | VirusTotal | 70+ AV engine verdicts + past analysis history |
| Dynamic analysis (sandbox) | Any.Run, Triage, Joe Sandbox, Cuckoo | Isolated-VM execution recording API calls / network destinations / file changes |
| Static analysis | DIE (Detect It Easy), PEStudio, exiftool, strings |
Packer type / imported functions / suspicious strings |
| Disassembly | Ghidra (NSA OSS), IDA Pro, Binary Ninja, radare2 | Read the assembly and C-like decompilation |
| Debugger | x64dbg, gdb + pwndbg, Frida | Pause execution and inspect internals |
| Yara rules | yara, YARA-Rules | Match against known families |
| ATT&CK Navigator | navigator | Map observed behavior to Tactics/Techniques |
$ file suspicious.exe # file format
$ sha256sum suspicious.exe # hash → VT search key
$ strings -a -n 8 suspicious.exe | head -50 # URLs / API names / mutex names
$ exiftool suspicious.exe # metadata
$ upx -d suspicious.exe 2>/dev/null # unpack if UPX-packed
$ clamscan -i suspicious.exe # quick AV scan
# Sandbox submission (VirusTotal supports CLI)
$ curl -F "file=@suspicious.exe" -H "x-apikey: YOUR_KEY" \
"https://www.virustotal.com/api/v3/files"Always analyze in an isolated VM (VMware / VirtualBox with snapshots), a disposable cloud VM, or an online sandbox (Any.Run). Cut off the network or limit it to an analysis-only MITM proxy. Never run a sample on a production system or your personal PC.
Summary #
- A Trojan is the "not self-replicating, not exploiting a vulnerability — the user installs it themselves" model. It targets human psychology as the primary vulnerability
- The modern profile is "no single-purpose, no single-stage" — multi-stage chains, IAB-to-RaaS labor division, supply-chain attacks, commercial spyware — the entire industry has been productized
- The defense root is "don't run untrusted code", but perfect user judgment is unrealistic → email filtering + macro disablement + EDR + MFA + backups + patching + Allowlisting as a layered defense
- "One layer stops everything" is the wrong frame. The 2026 standard mindset is "assume the Trojan gets through the first few layers; design how the later layers stop it"