Malware Threats — Types, Spread, and Defence for Beginners

What Is Malware and Why Does It Matter?

According to the AV-TEST Institute, over 450,000 new malware and potentially unwanted applications are registered every day, making malware the most persistent and rapidly evolving threat category in cybersecurity.

Malware types are at the heart of cybersecurity — every major breach, every ransomware headline, and every compromised system involves some form of malicious software. If you want to work in cybersecurity, you need to understand what malware is, how it works, how it spreads, and how organisations defend against it.

Malware — short for malicious software — is any software intentionally designed to damage, disrupt, or gain unauthorised access to computer systems. It ranges from simple viruses that have existed since the 1980s to sophisticated fileless malware that operates entirely in memory and leaves almost no trace on disk.

Understanding malware matters for practical reasons:

SOC analysts spend a significant portion of their day triaging malware alerts — identifying suspicious files, checking indicators of compromise, and escalating confirmed infections.
Incident responders need to understand malware behaviour to contain infections, identify persistence mechanisms, and determine the full scope of a compromise.
Certification exams test malware knowledge extensively. CompTIA Security+ (SY0-701), CEH, and CySA+ all cover malware types, analysis techniques, and defence strategies.
Every security role interacts with malware in some way, whether you are writing detection rules, hardening endpoints, analysing suspicious emails, or briefing management on threats.

This page covers every major malware type, how malware spreads, the basics of malware analysis, real-world examples, and the layered defence approach that organisations use to protect themselves.

Malware became real for me when I read about the Medibank breach in Australia — 9.7 million Australians’ health data stolen and published online. The attackers used stolen credentials to access the network, then deployed tools to exfiltrate data. Reading the timeline, I could see how each defensive layer that was missing or weak allowed the attack to progress. It was not just a news story anymore — it was a sequence of failures I could now understand technically. That understanding is what this page gives you: the ability to look at a malware incident and see the mechanics, not just the headlines.

What Do Real-World Malware Attacks Look Like?

According to the Verizon 2024 DBIR, ransomware was involved in 23% of all breaches, and the median ransom payment doubled year-over-year, confirming malware-driven attacks as the costliest category of cybercrime globally.

These are not hypothetical scenarios. Each incident caused billions in damage and changed how the security industry operates.

Incident	Malware type	Impact	Key lesson
WannaCry (2017)	Ransomware worm	Infected >200,000 systems in 150 countries; UK NHS hospitals forced to divert patients	Unpatched systems are a critical risk; the EternalBlue SMB exploit had a patch available for two months
NotPetya (2017)	Destructive wiper (disguised as ransomware)	$10+ billion in global damage; Maersk, Merck, FedEx severely disrupted	Supply chain compromise via Ukrainian accounting software; “ransomware” with no recovery mechanism
SolarWinds/SUNBURST (2020)	Supply chain trojan	18,000 organisations installed compromised update; US government agencies breached	Sophisticated nation-state operation; backdoor in legitimate software update
Emotet (2014-2021)	Banking trojan turned malware delivery platform	Called “the world’s most dangerous malware” by Europol; delivered ransomware, stealers, and other payloads	Modular design allowed constant evolution; taken down by international law enforcement in 2021, then re-emerged
Colonial Pipeline (2021)	DarkSide ransomware	US East Coast fuel supply disrupted for six days; $4.4 million ransom paid	Single compromised VPN credential without MFA; highlighted critical infrastructure vulnerability

The pattern across these incidents is consistent: malware exploits known weaknesses — unpatched software, stolen credentials, supply chain trust, and missing security controls. Understanding malware types and how they work helps you build and maintain the defences that prevent these outcomes.

How Does Malware Work?

The MITRE ATT&CK framework documents over 700 malware families across its software catalogue, each classified by the tactics and techniques they employ — from initial access through persistence, privilege escalation, and data exfiltration.

Each malware type has distinct characteristics, spread mechanisms, and defensive countermeasures. Understanding these categories is essential for classification, detection, and response.

Viruses

A virus is malware that attaches itself to a legitimate file or program and executes when the host file is opened. Viruses require user action to spread — someone must open the infected file, run the infected program, or enable the malicious macro.

File infectors attach to executable files (.exe, .dll)
Macro viruses embed in documents (Word, Excel) and execute when macros are enabled
Boot sector viruses infect the system’s boot process and load before the operating system

Viruses were the dominant malware type in the 1990s and early 2000s. They are less common today but still appear, particularly macro viruses in phishing campaigns.

Worms

A worm is self-replicating malware that spreads across networks without requiring user action. Unlike viruses, worms do not need to attach to host files — they exploit vulnerabilities in network services to propagate automatically.

WannaCry is the textbook example: it exploited the EternalBlue vulnerability in Windows SMB to spread across networks at machine speed, encrypting files on every system it reached.

Trojans

A trojan disguises itself as legitimate software to trick users into installing it. Once installed, it performs malicious actions — stealing credentials, creating backdoors, downloading additional malware, or giving attackers remote access.

Remote Access Trojans (RATs) give attackers full control of the infected system
Banking trojans steal financial credentials and intercept transactions
Dropper trojans deliver and install other malware payloads

Trojans are one of the most common malware delivery methods because they exploit user trust rather than technical vulnerabilities.

Ransomware

Ransomware encrypts a victim’s files and demands payment (usually in cryptocurrency) for the decryption key. Modern ransomware groups use double extortion — threatening to publish stolen data if the ransom is not paid — and triple extortion — threatening to DDoS the victim or contact their customers.

Ransomware-as-a-Service (RaaS) has turned ransomware into a criminal business model. Groups like LockBit, BlackCat/ALPHV, and Cl0p build ransomware platforms and lease them to affiliates who carry out attacks in exchange for a percentage of ransom payments.

Spyware and Keyloggers

Spyware secretly monitors user activity and collects data — browsing history, keystrokes, screenshots, and credentials. Keyloggers specifically record every keystroke, capturing passwords, messages, and sensitive data.

The Pegasus spyware developed by NSO Group is one of the most sophisticated examples — capable of compromising mobile devices through zero-click exploits without any user interaction.

Rootkits

Rootkits operate at the deepest level of the operating system — sometimes at the kernel level or even in firmware. They hide malware processes, files, and network connections from normal detection tools. A rootkit’s primary purpose is stealth: it ensures other malware remains hidden and persistent.

Rootkits are difficult to detect because they modify the operating system itself. Detecting them often requires booting from trusted media and scanning the system from outside.

Fileless Malware

Fileless malware operates entirely in memory without writing files to disk. It uses legitimate system tools (PowerShell, WMI, macros) to execute malicious code, making it extremely difficult for traditional antivirus to detect.

Fileless attacks often use techniques like:

PowerShell scripts that download and execute code in memory
WMI (Windows Management Instrumentation) event subscriptions for persistence
Living-off-the-land binaries (LOLBins) — legitimate system utilities repurposed for malicious activity

Cryptominers

Cryptomining malware hijacks a victim’s computing resources to mine cryptocurrency for the attacker. It runs silently in the background, consuming CPU and electricity. While less destructive than ransomware, it degrades system performance and increases energy costs.

How Malware Spreads

Understanding delivery mechanisms is as important as understanding malware types, because defence often targets the delivery method rather than the payload.

Phishing emails remain the most common delivery vector. Malicious attachments (Office documents with macros, PDF files, ZIP archives) and links to malware-hosting websites account for the majority of initial infections.
Drive-by downloads infect users who visit compromised or malicious websites. Exploit kits hosted on these sites probe the browser for vulnerabilities and deliver malware automatically.
Removable media (USB drives, external hard drives) can carry malware that executes automatically or relies on social engineering to trick users into opening infected files.
Supply chain compromise injects malware into legitimate software updates, libraries, or hardware. The SolarWinds attack and various npm/PyPI package compromises demonstrate this vector.
Social engineering tricks users into installing malware voluntarily — fake software updates, pirated software, malicious browser extensions, and tech support scams.
Exploitation of vulnerabilities — unpatched software with known vulnerabilities allows attackers to deliver and execute malware remotely without user interaction.

Malware Analysis Basics: Static vs Dynamic

Malware analysis is the process of examining malicious software to understand its behaviour, capabilities, and indicators of compromise. There are two fundamental approaches.

Static Analysis vs Dynamic Analysis

Static Analysis

No execution — Examines the malware without running it — safe but limited
File properties — Hash values, file size, strings, imports, headers
Code review — Disassembly and decompilation to read the malware's code
Faster initial triage — Quick hash lookup can identify known malware in seconds

Dynamic Analysis

Executes malware — Runs the malware in a controlled sandbox to observe behaviour
Behavioural observation — Network connections, file changes, registry modifications, process creation
Runtime unpacking — Reveals packed or obfuscated code that static analysis cannot see
More complete picture — Shows what the malware actually does, not just what it could do

Verdict: Start with static analysis for safe, fast triage. Use dynamic analysis in a sandbox to observe actual behaviour. Professional analysts use both in sequence.

Use case

SOC analysts use hash lookups and VirusTotal (static) for initial triage. Malware analysts run samples in sandboxes (dynamic) for deep investigation.

Indicators of Compromise (IoCs)

IoCs are forensic artefacts that indicate a system may be compromised. Malware analysis produces IoCs that can be shared with other organisations and fed into detection tools.

File hashes (MD5, SHA-256) — unique fingerprints of malware files
IP addresses — command-and-control servers the malware communicates with
Domain names — malicious domains used for delivery or C2
File paths — where the malware installs itself on the filesystem
Registry keys — persistence mechanisms on Windows systems
Mutex names — unique identifiers malware uses to avoid running multiple copies
YARA rules — pattern-matching rules that detect malware based on characteristics

How Does Malware Defence Fit Into a Security Architecture?

The ASD Essential Eight maturity model identifies application control as the single most effective mitigation strategy against malware execution, ranking it as the top priority in Australia’s baseline cybersecurity framework.

Effective malware defence is not a single product — it is a layered approach where each layer catches threats that the previous layers missed. This is defence in depth applied specifically to the malware problem.

Malware Defence Architecture

Visual Explanation

Malware Defence Layers

Defence in depth — each layer catches what the layer above it missed

User Awareness Training

First line of defence — educated users recognise phishing, social engineering, and suspicious files

Email and Web Filtering

Block malicious attachments, URLs, and downloads before they reach endpoints

Endpoint Protection (EDR)

Antivirus, behavioural detection, and response capabilities on every device

Network Detection (NDR)

Monitor network traffic for C2 communications, lateral movement, and data exfiltration

Incident Response

Contain, eradicate, and recover when malware bypasses all previous layers

Idle

Each layer addresses a different stage of the malware lifecycle:

Defence layer	What it blocks	Tools and techniques
User awareness	Social engineering attempts that trick users into executing malware	Security awareness training, phishing simulations, reporting culture
Email and web filtering	Malicious attachments, links, and drive-by downloads	Email gateways (Proofpoint, Mimecast), web proxies, DNS filtering
Endpoint protection	Malware that reaches the device	Antivirus, EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint), application control
Network detection	Malware communications and lateral movement	IDS/IPS, NDR tools, firewall rules, network segmentation
Incident response	Active infections that bypassed all other layers	IR playbooks, forensic tools, containment procedures, backup restoration

The critical insight is that no single layer is sufficient. Sophisticated malware is specifically designed to evade individual controls. The strength of a layered defence is that an attacker must bypass every layer to succeed, while defenders only need one layer to catch the threat.

What Does Malware Detection Look Like in Practice?

According to NIST SP 800-83, effective malware detection combines host-based indicators (suspicious processes, persistence mechanisms) with network-based indicators (anomalous connections, C2 traffic), and analysts must be proficient in both approaches.

These commands help you identify signs of malware infection. Practise them in your home lab.

Checking for Suspicious Processes

# Linux — list all running processes sorted by CPU usage
ps aux --sort=-%cpu | head -20

# Linux — look for unusual or unknown processes
ps aux | grep -v "root\|www-data\|mysql\|syslog" | head -30

# Windows PowerShell — list processes with network connections
Get-Process | Where-Object {$_.Id -in (Get-NetTCPConnection).OwningProcess} | Select-Object Name,Id,CPU

# Windows — check for processes running from unusual locations
Get-Process | Where-Object {$_.Path -and $_.Path -notmatch "Windows|Program Files"} | Select-Object Name,Path

Checking Network Connections

# Linux — show all established connections with process info
ss -tunap | grep ESTAB

# Linux — look for connections to unusual external IPs
netstat -tulnp | grep -v "127.0.0.1\|::1"

# Windows PowerShell — established connections with remote addresses
Get-NetTCPConnection -State Established | Select-Object LocalPort,RemoteAddress,RemotePort,OwningProcess | Format-Table

# Check DNS queries (Linux — requires tcpdump)
sudo tcpdump -i any port 53 -c 50

File Hash Analysis

# Generate SHA-256 hash of a suspicious file
sha256sum suspicious_file.exe          # Linux
Get-FileHash suspicious_file.exe       # Windows PowerShell
shasum -a 256 suspicious_file          # macOS

# Search the hash on VirusTotal (web interface)
# https://www.virustotal.com/gui/home/search
# Paste the hash to check against 70+ antivirus engines

# Use VirusTotal CLI (if installed)
vt file suspicious_file.exe

Checking for Persistence Mechanisms (Windows)

# Check startup folders
Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

# Check Run keys in the registry
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

# Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} | Select-Object TaskName,TaskPath

# Check services for unusual entries
Get-Service | Where-Object {$_.StartType -eq "Automatic"} | Select-Object Name,DisplayName,Status

What Are the Limitations of Malware Defences?

According to the AV-TEST Institute, signature-based antivirus alone detects less than 50% of new malware within the first 24 hours of appearance, highlighting why behavioural detection and defence in depth are essential.

Malware defence involves constant trade-offs. Understanding these helps you make better security decisions.

Factor	Trade-off	Reality
Signature-based detection	Catches known malware quickly but misses zero-days and custom malware	Necessary but not sufficient — must be combined with behavioural detection
Behavioural detection	Catches unknown malware by observing actions but generates more false positives	Requires tuning and analyst review; too many false positives cause alert fatigue
Application control	Extremely effective but restrictive — only approved applications can run	The most effective malware prevention control (ASD Essential Eight) but requires careful management
Sandboxing	Runs suspicious files in isolation but adds delay and can be evaded	Advanced malware detects sandbox environments and changes behaviour
User training	Reduces phishing clicks significantly but cannot eliminate human error	Essential but should never be the only defence — people will always make mistakes
Patching	Closes vulnerability windows but requires testing and can break systems	Delayed patching is the single most common reason malware succeeds

The biggest failure mode in malware defence is over-reliance on any single layer. Organisations that depend entirely on antivirus, or entirely on user training, or entirely on email filtering will eventually be breached. Defence in depth is not optional — it is the only approach that works.

What Interview Questions Should You Expect About Malware?

The CompTIA Security+ SY0-701 exam objectives cover malware types, analysis techniques, and defence strategies across Domain 2 (Threats, Vulnerabilities, and Mitigations), making malware knowledge a standard requirement in entry-level security interviews.

Malware questions are standard in security interviews because they test both knowledge and analytical thinking.

Q1: What is the difference between a virus and a worm?

Strong answer: “A virus attaches to a legitimate file and requires user action to spread — someone must open the infected file or enable a malicious macro. A worm is self-replicating and spreads across networks without user interaction by exploiting vulnerabilities in network services. WannaCry is a classic worm example — it spread automatically through the EternalBlue SMB vulnerability.”

Q2: How would you respond to a ransomware alert on a workstation?

Strong answer: “First, isolate the affected system immediately — disconnect it from the network to prevent the ransomware from spreading to other systems or encrypting network shares. Then notify the IR lead and begin documenting — capture the ransom note, note the file extensions, and record the time. Check if other systems show the same indicators. Follow the organisation’s ransomware playbook for containment, evidence preservation, and recovery from backups.”

Q3: What is fileless malware and why is it hard to detect?

Strong answer: “Fileless malware operates entirely in memory without writing files to disk. It uses legitimate system tools like PowerShell, WMI, and other built-in utilities to execute malicious code. Traditional antivirus that scans files on disk cannot detect it because there are no malicious files to scan. Detection requires behavioural monitoring, memory analysis, and EDR tools that watch for suspicious process behaviour rather than file signatures.”

Q4: Explain the concept of defence in depth for malware.

Strong answer: “Defence in depth layers multiple security controls so that no single point of failure can lead to a complete compromise. For malware specifically: user awareness training catches social engineering attempts, email and web filtering blocks malicious delivery, endpoint protection detects malware on devices, network detection catches C2 communications, and incident response handles what gets through everything else. Each layer catches what the previous layer missed.”

How Is Malware Handled in Real Security Operations?

According to the SANS Institute, malware triage — including hash lookups, behavioural analysis, and IoC extraction — is one of the top five daily tasks performed by SOC analysts across organisations of all sizes.

Malware defence is a daily operational reality in every security team.

Day-One SOC Scenarios

As a new SOC analyst, you will encounter malware in these contexts:

Phishing triage. A user reports a suspicious email with an attachment. You analyse the email headers, check the attachment hash against VirusTotal, and determine if it is a known malware delivery. If the user opened the attachment, you escalate to the malware containment playbook.
EDR alerts. Your endpoint detection platform flags a suspicious process — PowerShell downloading content from an external URL, an unknown executable running from a temp directory, or a process injecting into another process. You investigate the alert, check for IoCs, and determine if it is malicious or a false positive.
Malware indicator sharing. Your threat intelligence feed delivers new IoCs — file hashes, C2 domains, and IP addresses associated with an active malware campaign. You add these indicators to your security tools so they can detect the threat if it targets your organisation.

Australian Context

The ASD Essential Eight includes several controls directly targeting malware:

Application control — Only approved applications are allowed to execute. This is the single most effective control against malware according to the ASD, because malware cannot run if it is not on the approved list.
Configure Microsoft Office macro settings — Block macros from the internet and only allow vetted macros in trusted locations. Macro-based malware remains one of the most common delivery vectors.
User application hardening — Disable or restrict features in web browsers, PDF viewers, and other applications that attackers commonly exploit to deliver malware.

The ACSC publishes regular malware advisories at cyber.gov.au, including technical indicators and recommended mitigation actions. Australian organisations, particularly in government and critical infrastructure under the Security of Critical Infrastructure Act (SOCI Act), are expected to implement these controls and respond to ACSC advisories promptly.

For career changers in Australia, understanding how the Essential Eight controls specifically counter malware threats demonstrates practical, employable knowledge that hiring managers in government, managed security, and enterprise security roles actively look for.

Summary and Key Takeaways

Malware is the weapon of choice for most cyber attacks — understanding it is non-negotiable for anyone entering cybersecurity.

Malware types range from viruses and worms to ransomware, trojans, rootkits, fileless malware, and cryptominers. Each has distinct characteristics and defensive countermeasures.
Delivery mechanisms include phishing, drive-by downloads, removable media, supply chain compromise, and vulnerability exploitation. Defending against delivery is often more effective than detecting the payload.
Malware analysis uses static analysis (examining without executing) and dynamic analysis (running in a sandbox). Both produce indicators of compromise that improve detection across the organisation.
Defence in depth is the only effective approach. Layer user awareness, email filtering, endpoint protection, network detection, and incident response so that no single failure leads to compromise.
Application control is the single most effective malware prevention control according to the ASD Essential Eight.
Real-world incidents like WannaCry, NotPetya, and SolarWinds demonstrate that malware exploits known weaknesses. Patching, access control, and monitoring are the fundamentals that prevent catastrophic outcomes.
IoCs are the currency of threat intelligence. File hashes, C2 domains, and behavioural indicators shared between organisations improve collective defence.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Threat Landscape for the broader context of who creates and deploys malware
Incident Response for what to do when malware gets past your defences
Security Concepts for the defensive principles (CIA triad, defence in depth) that underpin malware defence
Home Lab Setup to practise malware detection techniques safely

Frequently Asked Questions

What is malware?

Malware is short for malicious software — any software intentionally designed to damage, disrupt, or gain unauthorised access to computer systems. It includes viruses, worms, trojans, ransomware, spyware, rootkits, fileless malware, and cryptominers.

What is the most common type of malware?

Trojans are currently the most common malware type because they exploit user trust rather than technical vulnerabilities. Ransomware is the most impactful type, responsible for the largest financial losses and operational disruptions.

What is the difference between a virus and a trojan?

A virus attaches to legitimate files and spreads when those files are shared or executed. A trojan disguises itself as legitimate software to trick users into installing it. Viruses replicate by attaching to files; trojans typically do not self-replicate but rely on social engineering for distribution.

What is ransomware-as-a-service?

Ransomware-as-a-Service is a criminal business model where developers build ransomware platforms and lease them to affiliates who carry out the actual attacks. Affiliates pay a percentage of ransom collections to the developers. This model has dramatically lowered the barrier to entry for ransomware attacks.

What is fileless malware?

Fileless malware operates entirely in memory without writing files to disk. It uses legitimate system tools like PowerShell, WMI, and living-off-the-land binaries to execute malicious actions. Traditional file-based antivirus cannot detect it because there are no malicious files to scan.

How do I know if my computer has malware?

Signs of malware infection include unusual system slowness, unexpected network traffic, unfamiliar processes running, modified files, unexpected pop-ups, disabled security tools, and ransom notes. Detection tools include antivirus software, EDR platforms, and manual investigation of processes, network connections, and startup items.

What is an indicator of compromise?

An indicator of compromise is a forensic artefact that suggests a system may be compromised. Common IoCs include malicious file hashes, command-and-control IP addresses and domains, suspicious file paths, registry modifications, and unusual network traffic patterns. IoCs are shared between organisations to improve collective detection.

What is the difference between static and dynamic malware analysis?

Static analysis examines malware without executing it — checking file properties, hashes, strings, and code structure. Dynamic analysis runs the malware in a controlled sandbox to observe its actual behaviour: network connections, file modifications, and process creation. Static is safer and faster; dynamic reveals what the malware actually does.

What is the best defence against malware?

Defence in depth — layering multiple controls: user awareness training, email and web filtering, endpoint protection with behavioural detection, application control, network monitoring, regular patching, and tested incident response plans. No single control is sufficient. The ASD ranks application control as the single most effective malware prevention measure.

Can I safely study malware in a home lab?

Yes, but with precautions. Use isolated virtual machines with no network access to the host or internet. Platforms like TryHackMe and Hack The Box provide safe malware analysis exercises. Never run real malware on a system connected to your home network. Start with analysis of known, well-documented samples in controlled environments.

More resources

VirusTotal

Free malware analysis platform — upload files or search hashes against 70+ antivirus engines and community intelligence.

Visit MITRE ATT&CK — Malware

Comprehensive catalogue of malware families, their techniques, and associated threat groups from real-world observations.

Visit ACSC Essential Eight Explained

Australian Cyber Security Centre's baseline mitigation strategies including application control and macro settings for malware defence.

Visit

Technical content verified in March 2026 against MITRE ATT&CK framework, CISA malware advisories, ASD Essential Eight guidance, CompTIA Security+ SY0-701 exam objectives, and CEH v12 syllabus. Real-world incident details verified against primary sources.