What Is a Trojan?
A Trojan, or Trojan horse, is malicious software disguised as something benign. Its defining feature is not one specific payload, but the fact that it gains execution by looking legitimate enough for a user, administrator, or system to trust it.
A Trojan is malware that pretends to be legitimate software, a useful file, or a trusted update in order to trick a user into running it. Unlike malware that spreads on its own, a Trojan usually relies on deception and user action to get inside an environment. Once executed, it may steal data, open a backdoor, download more malware, or give an attacker remote access to the infected system.
How a Trojan works
The term comes from the idea of hiding malicious intent inside something that appears safe. In security terms, that usually means the malware is packaged as a file, installer, script, document, or application that the victim believes is normal.
Step 1: Delivery
Trojans commonly arrive through:
- Phishing emails and attachments
- Malicious links and downloads
- Fake software updates
- Pirated or cracked software
- Compromised websites
- Messaging platforms and file shares
- USB media or removable storage
The delivery method matters less than the social engineering. The attacker needs the victim to trust the file enough to open, install, or enable it.
Step 2: Execution
Once the file is launched, the Trojan executes its malicious code. This may happen immediately or after some trigger, such as:
- Enabling macros or active content
- Running an installer
- Opening a script
- Granting permissions
- Bypassing operating system warnings
Some Trojans display a decoy document or a fake installation screen to make the victim think the file behaved as expected.
Step 3: Post-execution activity
After running, the Trojan may perform one or more malicious actions. Common outcomes include:
- Stealing credentials or browser data
- Opening a backdoor for remote access
- Downloading additional malware
- Logging keystrokes
- Modifying security settings
- Establishing persistence
- Exfiltrating files
- Joining the system to a botnet
This is why “Trojan” is often better understood as a delivery and disguise method rather than a single malware behavior. One Trojan may act like spyware, another like a loader, and another like a remote access tool.
Common types of Trojans
In practice, defenders often encounter Trojans described by what they do after execution.
Remote access Trojan (RAT)
A RAT gives an attacker ongoing remote control of the infected system. That can include command execution, file access, screen viewing, credential theft, and movement deeper into the environment.
Banking Trojan
These are designed to steal financial information, payment data, or online banking credentials. They may target browsers, intercept sessions, or manipulate user transactions.
Downloader or dropper Trojan
This type installs or fetches additional malware after the initial infection. It is often the first-stage payload in a larger intrusion.
Spy Trojan
A spy Trojan focuses on surveillance, such as collecting keystrokes, screenshots, browser history, stored passwords, or messages.
What makes a Trojan different from other malware
The most important distinction is how it gets executed.
A worm is known for self-propagating. A virus traditionally attaches to other files and spreads when those files are used. A Trojan, by contrast, typically depends on being disguised as something the target is willing to run.
That means Trojans are closely tied to:
- Social engineering
- User trust
- Software installation habits
- Weak application control
- Unsafe download behavior
They are often part of broader intrusion chains rather than the entire attack by themselves.
If you want to compare categories, see what is malware.
When you’ll encounter a Trojan
You will usually hear the term Trojan in endpoint protection, malware analysis, phishing response, and incident investigations.
In phishing investigations
If a user opens an attachment that looked like an invoice, resume, or shared file and malicious code runs, that payload may be classified as a Trojan. The lure is often more important than the file type.
In endpoint detection alerts
EDR or antivirus tools may flag suspicious installers, scripts, or binaries as Trojan activity when the file appears legitimate but performs malicious actions after launch.
In malware families that load other malware
Many initial-access payloads are Trojans because their job is to establish a foothold and bring in the next stage, such as ransomware, infostealers, or remote access tools.
In unmanaged or lightly controlled environments
Trojans are especially common where users can install software freely, disable warnings, use local admin rights, or download files from untrusted sources. Small businesses and home-office setups often see this pattern.
For more on the delivery side, read what is phishing.
Why Trojans are still effective
Trojans remain common because they exploit a basic reality: users and admins have to run software to do their jobs. If an attacker can make a file look routine enough, technical controls may be bypassed by normal business behavior.
They also work well with modern attack chains:
- A phishing message creates urgency
- A user opens a file or installer
- The Trojan executes
- Additional payloads are fetched
- Credentials are stolen or persistence is established
That sequence is still effective because it combines human trust with technical follow-on actions.
How to reduce the risk of Trojan malware
Practical defenses focus on reducing the chance that untrusted code gets executed in the first place.
- Train users to be cautious with attachments, downloads, and fake updates
- Restrict local admin rights
- Use application allowlisting where possible
- Keep operating systems and software patched
- Filter email attachments and malicious links
- Monitor endpoints for unusual behavior
- Block or tightly control software from untrusted sources
On individual devices and small business endpoints, security tools such as Malwarebytes can add another layer against malicious downloads and suspicious executables. For users who frequently sign in to websites, a password manager like 1Password can also reduce the damage of credential theft by supporting stronger, unique passwords.
Bottom line
A Trojan is malware that gets executed by pretending to be something trustworthy. That deception makes it one of the most common ways attackers gain initial access, steal data, or load more dangerous payloads. If a file looks normal but behaves maliciously once opened, you are often dealing with a Trojan.