Trojan Horse Explained: Malware Types, Delivery, and Defenses thumbnail

Trojan Horse Explained: Malware Types, Delivery, and Defenses

⏱ approx. 28 min views 77 likes 0 LOG_DATE:2026-05-10
TOC

Trojan Horse #

Trojan horse is the umbrella term for malware that disguises itself as legitimate software so that the user installs it voluntarily. The name comes from the Greek myth in the Iliad — soldiers hidden inside a giant wooden horse, brought into the city by the enemy themselves. The shape of that idea — "have the enemy open their own gate" — maps directly to the attack model "have the user click Install themselves."

Unlike a Virus or Worm, a Trojan doesn't self-replicate, and doesn't require an unpatched vulnerability, so infection succeeds even on a system without a single bug. The first step is always a user judgment error, and that's the substance of why Trojans have remained a primary attack surface for 30+ years.

The article structures the topic as "how Trojans relate to Virus / Worm / Ransomware / RAT in one diagram, modern functional sub-classes, the attack chain from delivery to objectives in another diagram (a MITRE ATT&CK miniature), persistence and evasion, representative incidents, the Malware-as-a-Service ecosystem, and defenses." Trojan is an old idea, but it's still by far the most common entry point for modern attacks — internalize that map first.

1. Where Trojan sits in the malware taxonomy #

News articles routinely use "virus," "malware," "Trojan," and "ransomware" interchangeably, but technically there's a sharp distinction by behavior and purpose. One piece of malware can sit in several categories at once (e.g., WannaCry = Worm + Ransomware), so a classification map keeps things organized.

Malware taxonomy — split by "how it spreads" vs "what it does" Trojan is a "how it spreads" classification; Ransomware/Spyware are "what it does" — they can hold simultaneously ▼ Spreading mechanism (= how it reaches the victim) Virus "Parasitizes" a host file Activates when host file runs Spreads via user actions Examples: ELK Cloner, CIH, Brain [Classical; rare today] Worm Self-replicates, auto-spreads on the network Hops via vulnerabilities No user action needed Examples: Morris, Slammer, Conficker, WannaCry (the worm part) ★ Trojan horse Disguises as legitimate software User runs it themselves Doesn't self-replicate Examples: Zeus, Emotet, Trickbot, Sub7, Cobalt Strike (commercialized) ▼ Purpose (= what it does post-infection) — Trojan is the delivery; these ride inside it Backdoor / RAT Remote control by the attacker screen / keys / files / commands Examples: Cobalt Strike, NjRAT, Quasar, Sliver Ransomware Encrypt files → demand ransom Usually delivered by a Trojan Examples: WannaCry, LockBit, REvil, Ryuk, Conti, BlackCat Spyware / Stealer Steal info (credentials / crypto / browser cookies) Examples: RedLine, Vidar, Lumma, Pegasus (mobile) Cryptominer Mine crypto on victim's CPU/GPU Steals power and performance Examples: XMRig (Monero), CoinHive (browser-based) Banking Trojan Manipulate bank UI / steal auth Form grabbing Examples: Zeus, Trickbot, Dridex, Emotet, QakBot Botnet client Zombie host taking attacker orders DDoS, spam, distribution Examples: Mirai (IoT), Necurs, Emotet, Trickbot Rootkit Hidden layer inside the OS Hides other malware's presence Examples: Stuxnet, ZeroAccess, UEFI rootkit (LoJax) Dropper / Loader First-stage that fetches more Downloads the second-stage payload Examples: Emotet, IcedID, BumbleBee, SmokeLoader, Qbot ▼ Multi-class examples: WannaCry = Worm + Ransomware / Emotet = Trojan + Banking + Botnet + Loader "Trojan classifies the delivery." "Ransomware classifies the goal." Both can be true at the same time

The takeaways:

  • Virus, Worm, and Trojan classify the spreading method. Independent of "what it carries" (Ransomware / Stealer / RAT). It's normal for one piece of malware to be multiple at once: "WannaCry is ransomware and a worm," "Emotet is a Trojan, a banking Trojan, a botnet client, and a loader."
  • Trojan differs from Virus / Worm in that it doesn't self-replicate. Distribution is human-initiated (phishing, pirated downloads, malvertising).
  • Backdoor (RAT) is the "remote-control interface the attacker uses after the Trojan let them in." That Cobalt Strike (originally a commercial pentest tool) became the standard tool of cybercrime is a dark-side fact of the industry.
  • Rootkit is the "hide the other malware" concealment layer. Sometimes the Trojan itself is also a rootkit.

2. Modern functional sub-categories of Trojans #

Going one level finer, Trojans split by the attacker's economic objective:

Sub-category What they target Representative families
Banking Trojan Online banking creds, 2FA codes, account transfers Zeus (2007), SpyEye, Trickbot, Dridex, Emotet, QakBot, IcedID
InfoStealer Browser-saved passwords, cookies, crypto wallets, Discord/Steam tokens RedLine, Vidar, Lumma, Raccoon, AZORult, MetaStealer
Ransomware (family) Encrypt files → demand ransom for the decryption key LockBit, ALPHV/BlackCat, Conti, REvil, Royal, Akira
RAT (Remote Access Trojan) Full remote control (screen/cam/mic/files/command exec) Cobalt Strike, Sliver, NjRAT, Quasar, Remcos, AsyncRAT
Dropper / Downloader First-stage payload — fetches the next Trojan Emotet (the modern leader), BumbleBee, GootLoader, IcedID, SocGholish
Cryptominer Mine Monero etc. on CPU/GPU (electricity and heat go to the victim) XMRig (open source weaponized), Lemon Duck
Botnet client Mass infection → springboard for DDoS, spam, stealer distribution Mirai (IoT), Necurs, Emotet, Mozi
Spyware (state-grade) Continuous surveillance of high-value targets (journalists, activists, politicians) Pegasus (NSO Group), FinFisher, Predator (Intellexa)

"Modern Trojans aren't single-purpose; they're modular." The standard now is multi-stage chains like Emotet → Trickbot → BloodHound (AD recon) → Ryuk / Conti for encryption. Initial Access Brokers (IAB) even exist as specialized vendors who only sell initial access — labor-division has gone deep.

3. Delivery vectors — the 2026 reality #

The path a Trojan takes to reach the user's PC has changed considerably in the past 10 years. Office macro lockdown (Microsoft 2022) and OS-side hardening killed the old methods, and new delivery formats have appeared in their place:

  • Phishing email attachments — still by far the top method. .docm (macro-laden Word) is in decline; in its place, .iso / .lnk / .one (OneNote) / .svg / .html smuggling are trending
  • HTML smuggling — the email body is HTML that assembles a zip in the browser via JavaScript. EDR can't catch it as a file attachment
  • Malvertising — the top-of-search paid ad pretends to be "download " (real cases: PuTTY, Notion, OBS, VS Code). Google Ads frequently fails at cleaning these up — a long-standing problem
  • Pirated / cracked software — Adobe / Office / game cracks come bundled with Trojans. "Anything free" carries inherent risk
  • Vishing (voice-based social engineering) — "I'm from IT support, your PC is compromised, install this tool from this link." Attackers operate legitimate AnyDesk / TeamViewer remotely
  • USB drops — drop 100 USBs labeled "Salaries 2026" in the parking lot. Still works against corporate targets
  • Drive-by download — browser vulnerabilities → infected just by visiting. Made hard by Chrome/Firefox/Edge sandboxes, but zero-days do succeed
  • Supply-chainpoison the legitimate software's update channel to ship to all customers. Examples: SolarWinds Sunburst (2020), 3CX (2023), XZ utils backdoor (2024)
  • Living off Trusted Sites — abusing GitHub / Discord / Telegram / Cloudflare R2 / AWS S3 for malware distribution and C2. "Surely not from such a major service" becomes the attacker's shield

4. Attack chain — initial access through objectives #

Following Trojan behavior in MITRE ATT&CK Tactics order reveals the path from "the click" to "ransomware execution." It also matches the Lockheed Martin Cyber Kill Chain.

Typical Trojan attack chain (MITRE ATT&CK Tactics miniature) From the phishing email landing to ransomware/data theft — hours to weeks of progression (1) Initial Access (TA0001) Phishing email / fake ads / pirated software / supply chain (2) Execution (TA0002) Run via macro / .lnk / .iso / .one / HTML smuggling (3) Persistence (TA0003) Registry Run / Scheduled Task / Service / DLL hijack (4) Defense Evasion (TA0005) packer / process injection / LOLBin / cert abuse (5) C2 — Command and Control (TA0011) Periodic beacons to the attacker (HTTPS / DNS / Discord) (6) Discovery (TA0007) Domain info / AD layout / network recon (BloodHound) (7) Privilege Escalation (TA0004) UAC bypass / kernel exploit / token theft / cred stealing (8) Credential Access (TA0006) mimikatz / LSASS dump / browser password extraction (9) Lateral Movement (TA0008) Pass-the-Hash / RDP / WMI / PsExec to other hosts (10) Impact (TA0040) — final objective Ransomware encryption / Exfiltration / DDoS / destruction ▼ The time-axis reality - Average time from Initial Access to Lateral Movement (CrowdStrike 2024 stats): 62 minutes (down from 84 the year before) - A delayed detection means the AD domain is owned within days/weeks, with ransomware arriving for encryption "The first few dozen minutes decide the outcome" — by later detection, the damage has already spread

Stopping the chain at any one stage minimizes damage:

  • Stop at stages (1)–(2) = email filtering / macro disable / no pirated SW / Application Allowlisting (most effective)
  • Stop at stages (3)–(5) = EDR behavioral detection / proxy blocks for known C2 domains (the modern frontline)
  • Stop at stages (6)–(9) = LSASS protection / network segmentation / Tier admin / honey tokens
  • Stop at stage (10) = essentially too late. Backups are the last line of business continuity

5. Persistence and evasion — staying alive #

Malware's largest challenge is "survive a reboot." The classic Windows Persistence techniques:

  • Registry Run keys — write to HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Oldest and easiest to find
  • Scheduled Taskschtasks /create for run-at-logon
  • Servicesc create to register as a Windows service (runs as SYSTEM)
  • DLL hijacking — drop a DLL into a directory the legit EXE searches first
  • COM hijacking — rewrite COM CLSIDs in the registry
  • WMI Event subscription — install a WMI event hook for periodic execution (hard to detect)
  • Bootkit / UEFI rootkit — runs before the OS even starts (LoJax, MoonBounce, BlackLotus)

The classic Defense Evasion patterns:

  • Packers / Crypters — UPX / Themida / commercial packers / custom crypters encrypt the code, decrypt at runtime. Defeats AV signatures
  • Polymorphic / Metamorphicmutate code on every infection so signatures don't match
  • Code-signing certificate abuse — sign with stolen vendor certificates (Stuxnet used Realtek / JMicron certs)
  • Process injection / hollowing — inject the malicious code into a legitimate process (explorer.exe, svchost.exe)
  • Living off the Land Binaries (LOLBins) — achieve malware-equivalent behavior using legitimate system tools like powershell, mshta, certutil, regsvr32, rundll32, bitsadmin (catalogued at LOLBAS Project)
  • Sandbox detection — look for VM / sandbox tells (low RAM, accelerated sleep, specific drivers) and self-terminate
  • Sleep / Stalling — sleep for hours or days before doing anything; defeats short-window sandbox analysis

6. Representative Trojans through history #

Year Name Notes
1989 AIDS Trojan (PC Cyborg) The world's first ransomware. Distributed by floppy, encrypted file names on the HDD, demanded $189
1998-1999 Sub7 / BackOrifice Pioneer RATs. The era when "hacking" entered popular culture
2007 Zeus (Zbot) The king of banking Trojans. Source code leaked (2011) → spawned a cascade of variants (Citadel, Gameover Zeus, …)
2010 Stuxnet Nation-state grade. 4 zero-days + Realtek/JMicron signing certs + Siemens PLC tampering. Physically destroyed Iranian nuclear centrifuges. The first publicly known cyberweapon
2014 Emotet Started as a banking Trojan, evolved into a malware distribution platform. Taken down by Europol in 2021, returned in 2022
2016 Mirai IoT botnet. Infected 600k+ Wi-Fi cameras / DVRs; the Dyn DDoS swept up Twitter / Reddit / GitHub
2017 WannaCry / NotPetya Worm + ransomware combining EternalBlue (NSA leak). 150 countries, 200k+ hosts, took down UK NHS / Maersk / FedEx
2018- TrickBot / Ryuk / Conti The Emotet → TrickBot → Conti (big-game ransomware) multi-stage chain became industry standard
2020 SolarWinds Sunburst Supply-chain attack. Inserted into SolarWinds Orion's update; 9 US federal agencies breached
2021 Pegasus exposed (Forbidden Stories) NSO Group's commercial spyware. Zero-click exploits on the smartphones of journalists, activists, politicians
2023 3CX supply chain The 3CX VoIP software's update line carried North Korea-linked malware. 590k 3CX customer companies potentially affected
2024 XZ utils backdoor (CVE-2024-3094) An OSS maintainer infiltrated for 2 years, then planted a backdoor in liblzma — almost shipped an SSH bypass to every Linux on Earth before being caught
2025 GootLoader / SocGholish revival SEO poisoning → JavaScript loaders pretending to be "contract templates" returned with vigor

"Trojans haven't faded over 35 years; they've gotten more sophisticated" is the actual record. Supply-chain attacks in particular are extremely hard to defend, and the XZ utils incident (2024)"a backdoor was about to ship to essentially every Linux" — was a wake-up call to the industry.

7. Malware-as-a-Service and the modern ecosystem #

The "lone hacker writes and ships" model has evolved into a division-of-labor commercial ecosystem. The structure resembles the legitimate software industry:

  • MaaS (Malware-as-a-Service) — malware authors rent it out monthly / per-use to other criminals. RedLine Stealer is $200/month; LockBit takes 20% of every ransom for the author
  • RaaS (Ransomware-as-a-Service) — the specialized form of the above. "Affiliates" handle intrusion; HQ does the encryption and negotiation
  • IAB (Initial Access Brokers) — traded "footholds in company X (RDP/VPN credentials)" at $1,000 to $50,000 each on forums like Russian Market / Genesis Market
  • Stealer logs (combo lists) — "URL + ID + password" sets extracted from infected hosts, $2 to $20 per bot. Buy and use directly for attacks
  • Crypter / Packer services — "we'll repack your malware to evade AV detection" — subscriptions
  • Bullet-proof hosting — server services that (mostly) survive law-enforcement takedowns. Largely Russia / Eastern Europe / China

The fully-divided economy where "buy access from an IAB, encrypt via RaaS, buy stealer logs separately" is what made $50M+ ransomware attacks possible. MGM Resorts (2023, $100M+ losses) and Change Healthcare (2024, $22M ransom paid + $872M total losses) were both born from this model.

8. Defense — the only root fix and the realistic layered approach #

"Don't run untrusted code" is the only true root defense. But expecting perfect judgment from ordinary users is unrealistic, so the standard form is layered defense:

Layer Contents
Email filtering Restrict attachment types (.exe .iso .one .lnk .html) / sandbox inspection / sender authentication (SPF/DKIM/DMARC)
Browser / OS sandboxes Chrome/Edge site isolation / Windows Sandbox / macOS Gatekeeper / Linux non-root operation
Macro / scripting restriction Office macros disabled by default (Microsoft 2022 default) / PowerShell ConstrainedLanguage / disable WSH
EDR (Endpoint Detection and Response) CrowdStrike Falcon / Microsoft Defender for Endpoint / SentinelOne — behavior-based detection
Application Allowlisting AppLocker / WDAC / macOS Gatekeeper / Linux SELinux — "if it's not on the list, it can't run" (strongest, but operationally heavy)
MFA Even when stealers grab passwords, the auth doesn't pass. Limits impact
Privilege separation / Just-In-Time admin Daily work as non-admin / temporary sudo / Tier 0 account isolation
Network segmentation Split LAN by VLAN / Zero Trust / micro-segmentation to contain lateral movement
C2 traffic blocking Proxy-block known C2 domains / DNS filtering (Quad9, Cloudflare 1.1.1.2)
Backups + immutable The last wall against ransomware. 3-2-1 rule + offline or write-once copy
Patch management Close exploit-delivery routes (auto-update browser / OS / business apps)

The five minimums for an individual user: (1) don't open email attachments by default, (2) enable auto-update on OS and browser, (3) enable MFA (Authenticator app), (4) don't install pirated / cracked software, (5) keep MS Defender / macOS XProtect / Linux ClamAV active. That alone neutralizes ~90% of Trojan attacks.

9. Analysis approach — when a suspicious file lands in your hands #

When you obtain a suspicious file (a sketchy attachment, an unknown EXE on a shared PC), the analysis sequence:

Method Tools What it tells you
Online scan VirusTotal 70+ AV verdicts and prior analysis history
Dynamic analysis (sandbox) Any.Run, Triage, Joe Sandbox, Cuckoo Run in an isolated VM; capture API calls / network destinations / file changes
Static analysis DIE (Detect It Easy), PEStudio, exiftool, strings Packer type / imports / suspicious strings
Disassembly / decompilation Ghidra (NSA OSS), IDA Pro, Binary Ninja, radare2 Read the assembly or a C-like decompilation
Debuggers x64dbg (Windows), gdb + pwndbg (Linux), Frida Pause execution and inspect internal state
Yara rules yara, YARA-Rules repo Match against known malware family signatures
MITRE ATT&CK Navigator navigator Map observed behavior onto ATT&CK Tactics/Techniques 
# The minimum check sequence (Linux host)
file suspicious.exe                       # file type
sha256sum suspicious.exe                  # hash → search key for VT
strings -a -n 8 suspicious.exe | head -50 # examine strings (URLs / API names / mutex names)
exiftool suspicious.exe                   # metadata
upx -d suspicious.exe 2>/dev/null         # if UPX-packed, unpack
clamscan -i suspicious.exe                # quick AV scan

# Submit to a sandbox (Any.Run via browser / VirusTotal via CLI)
curl -F "file=@suspicious.exe" -H "x-apikey: YOUR_KEY" \
     "https://www.virustotal.com/api/v3/files"

Never run it on production or your personal PC. Use an isolated VM (VMware / VirtualBox with snapshot) or a disposable cloud VM, or an online sandbox (Any.Run). Cut the network or restrict it through an analyzer's MITM proxy — this is the baseline.

A Trojan horse is a malware-delivery model that targets human psychology as the primary vulnerability — not self-replication, not vulnerability exploitation, but getting the user to install it themselves. No matter how correct the code or how strong the cryptography, the moment the user clicks "Run," it's over — and that property is why Trojans remain a primary attack class even after 35 years.

The modern character is "never standalone" — multi-stage chains like Emotet → Trickbot → Conti, a fully labor-divided commercial ecosystem from Initial Access Broker to RaaS, supply-chain attacks like SolarWinds / 3CX / XZ utils, state-grade commercial spyware like Pegasus — wherever you slice it, the industry has scaled up.

The defense is "don't run untrusted code" at the root, but demanding perfection from ordinary users isn't realistic, so the practical answer is layered defense: email filtering + macro disable + EDR + MFA + backups + patches + Application Allowlisting. The 2026 standard mindset isn't "block it all in one layer"; it's "Trojans will inevitably get through the first few layers — how do we stop them at the later stages?"