Trojan Horse Explained — Types, Delivery Vectors, and Defenses thumbnail

Trojan Horse Explained — Types, Delivery Vectors, and Defenses

⏱ approx. 25 min views 225 likes 0 LOG_DATE:2026-05-10
TOC

Trojan horse is the umbrella term for malware that "disguises itself as legitimate software so the user installs it themselves". The Homeric idea of "make the enemy open their own gates" maps directly to the modern attack model of "make the user click the install button". A Trojan doesn't self-replicate and doesn't need a vulnerability, so infection can succeed even on a perfectly patched system. The first step is always a user judgment error — and that is precisely why Trojans have remained a primary attack surface for over 35 years. This article goes from classification through delivery vectors, the attack chain, persistence, representative incidents, the MaaS ecosystem, and layered defense.

01

Where Trojan fits in the malware taxonomy #

News articles often use "virus", "malware", "Trojan", and "ransomware" interchangeably, but technically there is a clear distinction in function and behavior. It's also routine for a single piece of malware to belong to multiple categories at once (e.g. WannaCry = Worm + Ransomware).

Classification by spreading method #

Type How it spreads Examples
Virus "Parasitizes" other legitimate files and runs when the host runs ELK Cloner, CIH, Brain (classic, rare today)
Worm Self-replicates, spreads automatically over the network, no user action needed Morris, Slammer, Conficker, the worm part of WannaCry
★ Trojan Disguises itself as legitimate software; the user runs it themselves; no self-replication Zeus, Emotet, Trickbot, Cobalt Strike (commercialized)

Classification by purpose (what gets carried inside the Trojan) #

Type What it does Examples
Backdoor / RAT A back door for remote control by the attacker — screen / keys / files Cobalt Strike, NjRAT, Quasar, Sliver
Ransomware Encrypts files → ransom; usually delivered by a Trojan WannaCry, LockBit, REvil, Conti, BlackCat
Spyware / Stealer Steals credentials, crypto wallets, cookies, etc. RedLine, Vidar, Lumma, Pegasus (mobile)
Cryptominer Mines cryptocurrency on the victim's CPU/GPU, stealing electricity XMRig (Monero), CoinHive (browser)
Banking Trojan Rewrites banking sites, hijacks auth, form-grabs Zeus, Trickbot, Dridex, Emotet, QakBot
Botnet client Turns the host into a zombie used for DDoS and spam Mirai (IoT), Necurs, Emotet, Mozi
Rootkit A concealment layer inside the OS that hides other malware Stuxnet, ZeroAccess, LoJax (UEFI)
Dropper / Loader First-stage; pulls in subsequent payloads Emotet, IcedID, BumbleBee, SmokeLoader
▸ Trojan is the delivery, Ransomware is the purpose — different axes

"Virus / Worm / Trojan" classify by how it spreads. "Ransomware / Stealer / RAT" classify by what it does. Both axes apply simultaneously. WannaCry is ransomware AND a worm. Emotet is a Trojan AND a Banking Trojan AND a Botnet client AND a Loader — overlapping membership is the norm.

02

Functional sub-types of Trojans — by the criminal's economic goal #

A finer breakdown of Trojan functionality lines up directly with the criminals' economic goals:

Sub-type Target Representative families
Banking Trojan Online banking credentials, 2FA codes, wire transfers Zeus (2007), SpyEye, Trickbot, Dridex, Emotet, QakBot, IcedID
InfoStealer Browser-saved passwords, cookies, crypto wallets, Discord/Steam tokens RedLine, Vidar, Lumma, Raccoon, AZORult, MetaStealer
Ransomware (family) Encrypt files → ransom for decryption key LockBit, ALPHV/BlackCat, Conti, REvil, Royal, Akira
RAT Complete remote control (screen/camera/mic/files/commands) Cobalt Strike, Sliver, NjRAT, Quasar, Remcos, AsyncRAT
Dropper / Loader First-stage payload — pulls in subsequent stages Emotet (largest today), BumbleBee, GootLoader, IcedID, SocGholish
Cryptominer Mines Monero on CPU/GPU (passing electricity and heat onto the victim) XMRig (abused OSS), Lemon Duck
Botnet client A foothold for DDoS / spam / stealer distribution Mirai (IoT), Necurs, Emotet, Mozi
Spyware (state-grade) Continuous surveillance of journalists, activists, politicians Pegasus (NSO Group), FinFisher, Predator (Intellexa)
▸ Modern Trojans are not single-purpose

Emotet performs initial access, pulls in Trickbot, Trickbot reconnoiters Active Directory with BloodHound, and the chain ends with Ryuk / Conti for encryption — that multi-stage attack chain is now standard. Division of labor has reached the point where Initial Access Brokers (IABs) sell "initial intrusion" as a specialty.

03

Delivery vectors — the 2026 reality #

How a Trojan reaches a user's PC has changed dramatically over the past decade. With Office macros sealed by default (Microsoft 2022) and broader OS hardening, the old methods stopped working — and new delivery vectors have steadily emerged in their place.

  • Phishing email attachments — still the overwhelming #1. .docm (macro-bearing Word) is in decline, replaced by .iso / .lnk / .one (OneNote) / .svg / HTML smuggling
  • HTML smuggling — HTML inside the email assembles a zip via in-browser JS, so EDR can't catch it as a file attachment
  • Malvertising — paid ads at the top of search results that impersonate "official software download" pages (PuTTY, Notion, OBS, VS Code all have many fake-ad cases). Google Ads has repeatedly failed to clean these up
  • Pirated / cracked software — Adobe / Office / game cracks come with Trojans bundled in. "Free things you find" always carry risk
  • Vishing (voice phishing) — "This is IT support, your PC has been compromised". Attackers operate legitimate remote-access tools like AnyDesk / TeamViewer
  • USB drops — leaving a USB labeled "Payroll 2026" in a parking lot. The classic still works against enterprise targets
  • Drive-by download — infected by visiting a page, via a browser vulnerability. Sandboxing made this hard but zero-days still get there
  • Supply chain — poison a legitimate software's update mechanism to ship to every customer. SolarWinds Sunburst (2020) / 3CX (2023) / XZ utils backdoor (2024) are the representative cases
  • Living off Trusted Sites — abusing GitHub / Discord / Telegram / Cloudflare R2 / AWS S3 as malware delivery and C2 channels
04

The attack chain — a miniature MITRE ATT&CK #

Walking a Trojan's behavior in MITRE ATT&CK Tactics order lays out the path from "the click" to "ransomware fires":

1. Initial Access (TA0001)
Entry via phishing email / fake ads / pirated software / supply chain.
2. Execution (TA0002)
Code is run via macro / .lnk / .iso / .one / HTML smuggling.
3. Persistence (TA0003)
Stays via Registry Run / Scheduled Task / Service / DLL hijack.
4. Defense Evasion (TA0005)
Packer / process injection / LOLBin / signing abuse to dodge detection.
5. C2 (TA0011)
Periodic beacons to the attacker's server (HTTPS / DNS / Discord).
6. Discovery (TA0007)
AD structure / network discovery (BloodHound).
7. Privilege Escalation (TA0004)
UAC bypass / kernel exploit / token theft.
8. Credential Access (TA0006)
mimikatz / LSASS dump / browser password extraction.
9. Lateral Movement (TA0008)
Pass-the-Hash / RDP / WMI / PsExec to reach other hosts.
10. Impact (TA0040) — the final objective
Ransomware encryption / exfiltration / DDoS / destruction.
▸ The first dozens of minutes decide everything

Average time from Initial Access to Lateral Movement (CrowdStrike 2024): 62 minutes, down from 84 the previous year. If detection slips, the entire AD domain can be owned in days or weeks, and ransomware can be triggered to encrypt the data. By the time it's noticed, damage has already spread.

Where to stop it #

  • Stages ①–② — email filtering / macro disablement / no pirated software / Application Allowlisting (most effective)
  • Stages ③–⑤ — EDR behavioral detection / blocking C2 domains at the proxy (the modern battleground)
  • Stages ⑥–⑨ — LSASS protection / network segmentation / Tier management / honey tokens
  • Stage ⑩ — almost always too late. Restoring from backup is the last line of business continuity
05

Persistence and evasion — the moving parts #

The biggest challenge for malware is "surviving a reboot". The Windows persistence (Persistence) catalogue, shown with Registry examples:

Representative Windows persistence techniques
# 1) Registry Run keys (the classic — and the easiest to find) > reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v evil /d C:\Users\Public\evil.exe # 2) Scheduled Task — fire at logon > schtasks /create /tn "Updater" /sc onlogon /tr C:\evil.exe # 3) Service — resident as SYSTEM via sc create > sc create EvilSvc binPath= C:\evil.exe start= auto # 4) DLL hijacking — drop a malicious DLL in the path a legit EXE searches # 5) COM hijacking — rewrite a COM CLSID in the Registry # 6) WMI Event subscription — periodic execution via WMI events (hard to detect) # 7) Bootkit / UEFI rootkit — runs before the OS even starts (LoJax, MoonBounce, BlackLotus)

Classic Defense Evasion #

  • Packer / Crypter — UPX / Themida / commercial packers encrypt the code and unpack at runtime to evade AV signatures
  • Polymorphic / Metamorphic — transform the code on every infection so signatures don't match
  • Code-signing certificate abuse — sign with a stolen legitimate vendor cert (Stuxnet used Realtek / JMicron certs)
  • Process injection / hollowing — inject the attacker's code into legitimate processes like explorer.exe and svchost.exe
  • LOLBins (Living off the Land Binaries) — use legitimate system tools like powershell, mshta, certutil, regsvr32, rundll32, bitsadmin to do what malware would do (catalogued at LOLBAS Project)
  • Sandbox detection — look at VM / sandbox tells (low RAM, accelerated sleep, specific drivers) and self-terminate
  • Sleep / Stalling — wait hours or days before doing anything, defeating short-window sandbox analysis
06

Historical landmark Trojans #

Year Name Notable for
1989 AIDS Trojan (PC Cyborg) World's first ransomware. Floppy delivery, encrypts HDD filenames, $189 ransom
1998-99 Sub7 / BackOrifice RAT pioneers. The moment "hacking" entered pop culture
2007 Zeus (Zbot) The king of Banking Trojans. Source code leak (2011) produced an explosion of forks (Citadel, Gameover Zeus, etc.)
2010 Stuxnet State-grade. 4 zero-days + Realtek/JMicron signing + tampering with Siemens PLCs — physically destroyed Iranian centrifuges, the first publicly known cyber weapon
2014 Emotet Started as a Banking Trojan, evolved into a malware-delivery platform. Taken down by Europol in 2021, returned in 2022
2016 Mirai IoT botnet. Infected 600,000+ Wi-Fi cameras and DVRs; the Dyn DDoS knocked Twitter / Reddit / GitHub offline
2017 WannaCry / NotPetya Worm + ransomware built on EternalBlue (NSA leak). 150 countries, 200,000+ machines; took down UK NHS / Maersk / FedEx
2018- TrickBot / Ryuk / Conti The Emotet → TrickBot → Conti multi-stage chain becomes industry standard
2020 SolarWinds Sunburst Supply-chain attack — malware planted in the SolarWinds Orion update breached 9 U.S. federal agencies
2021 Pegasus exposé NSO Group's commercial spyware. Zero-click exploits on the phones of journalists, activists, politicians
2023 3CX supply chain North-Korea-linked malware injected into a 3CX VoIP software update. Potential reach: 590,000 enterprise customers
2024 XZ utils backdoor (CVE-2024-3094) An attacker embedded for two years as an OSS maintainer to plant a liblzma backdoor — caught moments before an SSH-auth bypass would have landed in every Linux distro
2025 GootLoader / SocGholish resurgence SEO-poisoned JS loaders disguised as "contract template" downloads come back into fashion
▸ What XZ utils made impossible to ignore

Far from fading, Trojans have only become more sophisticated over 35 years. Supply-chain attacks are particularly hard to defend against, and the XZ utils incident (2024) almost succeeded in planting a backdoor in nearly every Linux system on Earth — a fact that shook the industry. The fundamental problem of "what do you do when the maintainer can no longer be trusted?" remains unsolved.

07

Malware-as-a-Service and the modern ecosystem #

The model has evolved from "a single hacker writes and distributes" into a commercial ecosystem with proper division of labor — structurally similar to the software industry itself.

  • MaaS (Malware-as-a-Service) — the author rents malware out to other criminals for a monthly or per-use fee. RedLine Stealer is $200/month, LockBit takes 20% of the ransom for the author
  • RaaS (Ransomware-as-a-Service) — the specialized form. "Affiliates" handle intrusion; encryption and negotiation are run by HQ
  • IAB (Initial Access Brokers) — brokers who trade "a foothold into Company X's internal network (RDP/VPN credentials)" for $1,000–$50,000. Russian Market / Genesis Market and similar forums
  • Stealer logs (combo lists) — "URL + ID + password" sets pulled from infected hosts, $2–$20 per bot
  • Crypter / Packer services — "we will pack your malware so AV can't detect it", offered on subscription
  • Bullet-proof hosting — servers (mostly) shielded from law enforcement. Heavily based in Russia, Eastern Europe, and China
▸ Total division of labor makes the megabreaches possible

"Buy initial access from an IAB, encrypt via RaaS, buy stealer logs separately" — this fully divided economy is what enables $50M+ ransom attacks. Both MGM Resorts (2023, $100M+ in losses) and Change Healthcare (2024, $22M ransom + $872M in losses) were born from this model.

08

Defense — the one root rule, plus layered defense #

"Don't run untrusted code" is the only true root defense. Expecting perfect judgment from ordinary users is unrealistic, so layered defense is the standard form.

Layer Content
Email filtering Restrict attachment types (.exe .iso .one .lnk .html) / sandbox inspection / SPF/DKIM/DMARC
Browser / OS sandbox Chrome/Edge site isolation / Windows Sandbox / macOS Gatekeeper / Linux non-root operation
Macro / scripting restriction Office macros off by default (Microsoft 2022 standard) / PowerShell Constrained Language / WSH disabled
EDR CrowdStrike Falcon / Microsoft Defender for Endpoint / SentinelOne — behavior-based detection
Application Allowlisting AppLocker / WDAC / Gatekeeper / SELinux blocking anything not on the allowlist (strongest, heaviest to run)
Multi-factor authentication (MFA) Even if a password is stolen, auth won't go through. Caps the damage from stealers
Privilege separation Run as non-admin; elevate temporarily with sudo; isolate Tier 0 accounts
Network segmentation VLAN splitting / Zero Trust / micro-segmentation to suppress lateral movement
Block C2 traffic Proxy-side blocking of known C2 domains / DNS filtering (Quad9, Cloudflare 1.1.1.2)
Backups + immutable storage The last line against ransomware. 3-2-1 rule + offline / write-once copies
Patch management Auto-updates for browsers / OS / business apps close off delivery vectors
▸ The minimum five for individual users

(1) Don't open email attachments by default / (2) Keep OS and browser auto-update on / (3) Enable MFA (authenticator app) / (4) Don't install pirated or cracked software / (5) Keep MS Defender / macOS XProtect / Linux ClamAV active — these alone neutralize 90% of Trojan attacks.

09

Analysis approach — when a suspicious file shows up #

The analysis workflow when a suspicious file (an odd email attachment, an unknown exe found on a shared PC) lands in your hands:

Method Tools What you learn
Online scan VirusTotal 70+ AV engine verdicts + past analysis history
Dynamic analysis (sandbox) Any.Run, Triage, Joe Sandbox, Cuckoo Isolated-VM execution recording API calls / network destinations / file changes
Static analysis DIE (Detect It Easy), PEStudio, exiftool, strings Packer type / imported functions / suspicious strings
Disassembly Ghidra (NSA OSS), IDA Pro, Binary Ninja, radare2 Read the assembly and C-like decompilation
Debugger x64dbg, gdb + pwndbg, Frida Pause execution and inspect internals
Yara rules yara, YARA-Rules Match against known families
ATT&CK Navigator navigator Map observed behavior to Tactics/Techniques
Minimum triage sequence (Linux host assumed)
$ file suspicious.exe # file format $ sha256sum suspicious.exe # hash → VT search key $ strings -a -n 8 suspicious.exe | head -50 # URLs / API names / mutex names $ exiftool suspicious.exe # metadata $ upx -d suspicious.exe 2>/dev/null # unpack if UPX-packed $ clamscan -i suspicious.exe # quick AV scan # Sandbox submission (VirusTotal supports CLI) $ curl -F "file=@suspicious.exe" -H "x-apikey: YOUR_KEY" \ "https://www.virustotal.com/api/v3/files"
▸ Never run analysis on production

Always analyze in an isolated VM (VMware / VirtualBox with snapshots), a disposable cloud VM, or an online sandbox (Any.Run). Cut off the network or limit it to an analysis-only MITM proxy. Never run a sample on a production system or your personal PC.

Summary #

  • A Trojan is the "not self-replicating, not exploiting a vulnerability — the user installs it themselves" model. It targets human psychology as the primary vulnerability
  • The modern profile is "no single-purpose, no single-stage" — multi-stage chains, IAB-to-RaaS labor division, supply-chain attacks, commercial spyware — the entire industry has been productized
  • The defense root is "don't run untrusted code", but perfect user judgment is unrealistic → email filtering + macro disablement + EDR + MFA + backups + patching + Allowlisting as a layered defense
  • "One layer stops everything" is the wrong frame. The 2026 standard mindset is "assume the Trojan gets through the first few layers; design how the later layers stop it"
𝕏 Post B! Hatena