eastbaycyber

Malware: Definition, How It Works, Where You’ll Encounter It, and Related Terms

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Malware (short for malicious software) is any program or code intentionally created to disrupt operations, damage systems, steal information, or provide unauthorized access to a device or network. It includes many families—such as ransomware, trojans, spyware, and worms—each with different goals and behaviors.

Malware (short for malicious software) is any code intentionally designed to harm systems, steal data, or enable unauthorized access. It shows up in many forms—ransomware, trojans, spyware, worms, and botnets—and it’s commonly delivered through email, browsers, cloud apps, and third-party software.

How it works

Malware isn’t a single technique—it’s an outcome: the attacker gets code to run where it shouldn’t, then uses it to achieve an objective (theft, extortion, persistence, disruption). In practice, most malware campaigns follow a predictable lifecycle.

1) Initial access: how malware gets in

Common entry paths include:

  • Phishing and social engineering: malicious links, attachments, or fake login pages that trick users into running code or giving credentials.
  • Exploiting vulnerabilities: attackers abuse unpatched software (VPN gateways, web apps, browsers, document viewers, servers) to execute code.
  • Malvertising / drive-by downloads: compromised ad networks or websites deliver scripts that prompt downloads or abuse browser flaws.
  • Supply-chain compromise: a legitimate tool, installer, library, or update channel is tampered with. (See also: what is a supply chain attack.)
  • Credential abuse: stolen passwords or session tokens are used to log in, then malware is deployed internally via remote management tools.

2) Execution and staging

Once delivered, malware often runs in stages:

  • Dropper / loader: a small component whose job is to fetch and launch the main payload.
  • Payload: the “real” malware (e.g., ransomware encryptor, credential stealer).
  • Living-off-the-land (LotL): many campaigns lean on built-in tools (PowerShell, WMI, scheduled tasks) to reduce the need for obvious binaries.

3) Persistence: staying after reboots and logoffs

To survive reboots or maintain access, malware may:

  • Create scheduled tasks, services, startup items, or registry run keys (Windows).
  • Install launch agents/daemons (macOS/Linux).
  • Add new users, SSH keys, or API tokens.
  • Deploy web shells on servers to regain access through HTTP/S.

4) Command-and-control (C2): remote control and updates

Most malware phones home to attacker infrastructure to:

  • Receive commands (exfiltrate files, enumerate hosts, run lateral movement).
  • Download additional modules (keylogging, screenshotting, credential dumping).
  • Rotate or update payloads to evade defenses.

C2 traffic might use HTTPS to blend in, DNS tunneling, or uncommon ports. Some malware avoids C2 entirely and simply executes a one-time action (e.g., encrypt files).

5) Actions on objectives: what attackers actually want

Typical objectives include:

  • Data theft: credentials, financial info, intellectual property, customer data.
  • Extortion: encrypt data (ransomware) and/or threaten to leak it (double extortion).
  • Fraud: business email compromise support, invoice redirection, card theft.
  • Disruption: wiping data, deleting backups, sabotaging OT/ICS operations.
  • Resource hijacking: crypto-mining, botnet DDoS, proxying traffic.

6) Evasion: avoiding detection and response

Malware frequently attempts to:

  • Disable or tamper with security tools (where privileges allow).
  • Detect sandboxes/VMs and “sleep” to evade automated analysis.
  • Use encrypted configuration and obfuscated scripts.
  • Masquerade as legitimate processes or sign binaries with stolen certificates.

Technical notes: Practical indicators and quick checks

The specific artifacts vary, but these patterns are consistently useful for triage.

Endpoint and identity red flags

  • New local admin accounts or unexpected group membership changes.
  • Suspicious scheduled tasks, services, or startup entries.
  • Multiple failed logins followed by a success from unusual IPs/locations.
  • MFA fatigue prompts (many push notifications) preceding suspicious sign-ins.

Network and DNS red flags

  • New outbound connections from servers that typically don’t browse the internet.
  • DNS queries for newly registered domains or random-looking subdomains.
  • Beacon-like traffic patterns (regular intervals to the same host).

Quick CLI triage examples

# Linux: look for persistence mechanisms
systemctl list-unit-files --type=service | grep -i enabled
crontab -l
ls -la /etc/cron.* /var/spool/cron

# Linux: suspicious outbound connections
ss -tupn
lsof -i -n -P | head

# macOS: common persistence locations
ls -la ~/Library/LaunchAgents /Library/LaunchAgents /Library/LaunchDaemons
# Windows: list scheduled tasks and look for odd names/paths
Get-ScheduledTask | Select-Object TaskName,State,TaskPath | Format-Table -Auto

# Windows: review new local users
Get-LocalUser | Sort-Object Name

# Windows: quick process/network view
Get-Process | Sort-Object CPU -Descending | Select-Object -First 15
Get-NetTCPConnection | Sort-Object -Property State,RemoteAddress | Format-Table -Auto

Useful log patterns to hunt

These are not malware-specific on their own, but they’re high-signal when correlated:

  • Windows Security logs: new service creation, scheduled task creation, account creation, privilege escalation events.
  • EDR telemetry: PowerShell spawning unusual children, Office spawning command shells, script interpreters launching from user-writable paths.
  • Web server logs: POST requests to strange endpoints, uploads of .php, .aspx, or unusual file types, odd user agents.

When you’ll encounter it

Most teams don’t “encounter malware” as a single event—they see it as a symptom: an alert, a user report, or abnormal behavior. Here are the most common real-world scenarios.

Email and collaboration tools

  • A user clicks a link or opens an attachment from a spoofed sender.
  • A cloud file share points to a “document” that triggers a download.
  • Attackers use compromised accounts to send internal phishing (more trusted, higher click rate).

What to do next: quarantine the message if possible, collect message headers, block sender domains (carefully), and review mailbox rules for persistence.

Browser-based activity and downloads

  • Fake software updates (browser, PDF reader, conferencing tool).
  • Trojans bundled with “free” utilities or cracked software.
  • Malvertising that redirects to credential theft or a malicious installer.

What to do next: isolate the endpoint, preserve browser history (where possible), and check for new extensions or newly installed apps.

Exposed services and unpatched systems

  • Internet-facing VPNs, RDP, web apps, file transfer appliances, and CMS platforms are frequent initial targets.
  • Vulnerability exploitation can lead to web shells, backdoors, or deployment of ransomware.

What to do next: verify patch levels, review authentication logs, check for web shells, rotate exposed credentials, and validate backups.

Third-party and supply-chain exposure

  • A vendor tool is compromised or misconfigured.
  • A trusted update mechanism delivers a malicious payload.
  • A managed service provider account is abused to deploy tooling at scale.

What to do next: inventory software and integrations, review vendor advisories, enforce least privilege and conditional access for third-party accounts, and monitor remote management channels.

Post-compromise “malware as a tool,” not the entry point

Sometimes malware appears after attackers already have access via stolen credentials:

  • They deploy a remote access trojan (RAT) for stability.
  • They install credential stealers to move laterally.
  • They drop ransomware once they’ve located backups and critical systems.

What to do next: treat malware discovery as evidence of a broader intrusion. Expand scope beyond the single host—check identity, cloud logs, and lateral movement paths.

Prevention and response: minimum controls that reduce malware impact

If you’re prioritizing defenses, these measures consistently reduce the blast radius:

- Patch OS/apps quickly (especially internet-facing services)
- Enforce MFA everywhere; prefer phishing-resistant methods for admins
- Remove local admin rights; use just-in-time elevation
- Deploy EDR + centralized logging; retain logs long enough for investigations
- Segment networks; restrict east-west traffic
- Back up critical data; test restores; protect backups from tampering
- Application allowlisting or strong execution controls where feasible

If you’re evaluating endpoint defenses for an organization (not just a single device), map your requirements—coverage, telemetry quality, and response workflow—against your environment. For a Windows-heavy fleet, this can start with our endpoint buyer’s guide: best antivirus for windows business endpoints 2026.

For individual users or small teams that want a reputable on-device malware scanner as an extra layer, Malwarebytes is a commonly used option: Get Malwarebytes →.

Related terms

Virus

Malware that attaches to files and can replicate when the infected file runs. Less common as a primary modern delivery term, but still used colloquially.

Worm

Self-propagating malware that spreads across networks without user action (often by exploiting vulnerabilities).

Trojan

Malware disguised as legitimate software (e.g., a “PDF viewer” that installs a backdoor).

Ransomware

Malware that encrypts data (and increasingly steals it) to extort payment.

Spyware

Malware that monitors activity and steals data (browsing, credentials, messages).

Adware

Unwanted software that pushes ads; sometimes a stepping stone to more harmful payloads.

Rootkit

Malware designed to hide itself and maintain privileged access.

Botnet

A network of compromised devices controlled by an attacker, often used for DDoS, spam, or proxy services.

Backdoor / RAT

Remote access tooling that provides persistent control; may be “malware” or dual-use, depending on authorization.

Keylogger

Captures keystrokes to steal credentials and sensitive information.

Dropper / Loader

Components used to deliver or fetch the main payload.

C2 (Command-and-Control)

Infrastructure used to manage compromised systems.

TTPs (Tactics, Techniques, and Procedures)

The behavioral patterns of attackers; often more durable than IOCs.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.