Malware Types and Reference

Malware — malicious software designed to infiltrate, damage, or extract value from computing systems — represents one of the most structurally diverse threat categories in cybersecurity. This page catalogs the major malware classifications, their operational mechanics, the scenarios in which each appears, and the decision boundaries that distinguish one type from another. These classifications align with frameworks maintained by the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and MITRE ATT&CK. Professionals navigating digital security listings or researching incident response service categories will find this reference useful for grounding vendor claims in verified technical taxonomy.

Definition and scope

Malware is defined by NIST SP 800-83 Rev 1 as "a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or of otherwise annoying or disrupting the victim." This definition sets a functional boundary: malware is distinguished not by its delivery mechanism but by its intent and effect on a target system.

The scope of malware as a threat category spans all computing environments — endpoints, servers, mobile devices, embedded systems, and cloud-hosted workloads. CISA's Known Exploited Vulnerabilities (KEV) catalog, maintained at cisa.gov/known-exploited-vulnerabilities-catalog, documents active exploitation across malware-delivered vulnerabilities affecting federal civilian infrastructure. The catalog had exceeded 1,000 entries by 2023, reflecting the breadth of malware-associated attack surface in production environments.

Regulatory framing for malware extends across multiple federal mandates. The Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. § 3551 et seq., requires federal agencies to maintain anti-malware controls as part of documented information security programs. The HIPAA Security Rule at 45 CFR § 164.306 requires covered entities to protect against "reasonably anticipated threats" — a standard that expressly encompasses malware. The FTC Safeguards Rule at 16 CFR Part 314 similarly mandates that financial institutions implement controls against malicious code.

How it works

Malware operates through a lifecycle that MITRE ATT&CK (attack.mitre.org) structures into named tactics — initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. Not every malware specimen traverses all 14 tactics, but understanding the lifecycle clarifies where defensive controls apply.

The core execution phases for most malware follow this sequence:

  1. Delivery — The payload arrives via phishing email attachment, drive-by download, supply chain compromise, or exploitation of a network-exposed vulnerability.
  2. Execution — The payload runs on the target system, either directly (an executable) or through an interpreter (PowerShell, JavaScript, macro-enabled Office document).
  3. Persistence — The malware installs a mechanism to survive reboots: registry run keys, scheduled tasks, service installation, or boot sector modification.
  4. Command and Control (C2) — The malware establishes outbound communication to attacker-controlled infrastructure using HTTP/S, DNS tunneling, or encrypted protocols to receive instructions and exfiltrate data.
  5. Objective execution — The malware executes its primary payload: encrypting files, exfiltrating credentials, installing backdoors, or enrolling the host into a botnet.

NIST SP 800-83 Rev 1 classifies malware by primary behavior — a distinction between how a specimen propagates and what it does once active. These two axes produce the major malware families described below.

Common scenarios

Ransomware encrypts files or entire disk volumes and demands payment, typically in cryptocurrency, for decryption keys. The FBI Internet Crime Complaint Center (IC3) 2022 Internet Crime Report recorded 2,385 ransomware complaints that year, with adjusted losses exceeding $34.3 million — a figure the FBI explicitly notes undercounts actual losses because ransomware events frequently go unreported. Healthcare, critical infrastructure, and government entities represent the most heavily targeted sectors.

Trojans masquerade as legitimate software. Unlike viruses or worms, trojans do not self-replicate; they rely on user execution. Banking trojans such as those categorized under the MITRE ATT&CK Software catalog intercept browser sessions to harvest financial credentials. Remote access trojans (RATs) establish persistent C2 channels, giving attackers interactive control.

Worms self-propagate across networks without requiring user action, exploiting unpatched vulnerabilities in network services. The distinction from a virus is structural: a worm is a standalone program; a virus requires a host file to attach to and execute through.

Spyware operates covertly to monitor user activity, capture keystrokes, record audio or video, and exfiltrate data — often installed alongside legitimate freeware as an undisclosed component. Stalkerware, a subcategory addressed by the FTC in enforcement actions under Section 5 of the FTC Act, targets individual devices for surveillance purposes.

Rootkits modify the operating system kernel or bootloader to conceal their presence from standard detection tools. A kernel-mode rootkit operates at the same privilege level as the operating system itself, making detection dependent on out-of-band analysis or hardware-level attestation.

Fileless malware resides entirely in memory and uses legitimate system tools — Windows Management Instrumentation, PowerShell, or the Windows Registry — to execute without writing a detectable binary to disk. CISA's Alert AA22-321A documents threat actor use of living-off-the-land techniques consistent with fileless execution.

Botnets enroll compromised hosts as nodes in a coordinated network operated via C2 infrastructure. Botnet operators monetize access through distributed denial-of-service (DDoS) attacks, spam distribution, or rental to other threat actors.

The digital security directory purpose and scope page provides additional context on how these threat categories map to the service provider landscape.

Decision boundaries

The primary classification challenge in malware analysis is that specimens routinely combine behaviors from multiple categories. A single malware package may function as a trojan for initial delivery, install a rootkit for persistence, and execute ransomware as its final payload. MITRE ATT&CK addresses this by classifying specimens by observed technique rather than requiring a single categorical label.

Ransomware vs. wiper malware: Ransomware encrypts with the intent of reversibility upon payment; wiper malware destroys data with no recovery mechanism. The functional distinction is the presence or absence of decryption key infrastructure. CISA Advisory AA22-057A documented WhisperGate, a wiper deployed against Ukrainian infrastructure that presented a ransomware-style interface to obscure its actual destructive intent.

Spyware vs. legitimate monitoring software: The legal boundary is consent and disclosure. Enterprise endpoint detection and response (EDR) tools perform behavioral monitoring with organizational disclosure and legal authorization. Spyware and stalkerware operate without the monitored party's consent — a distinction that activates FTC enforcement authority under 15 U.S.C. § 45.

Virus vs. worm: Both self-replicate, but a virus requires a host program or file and propagates when an infected file is executed by a user. A worm propagates autonomously across networks by exploiting vulnerabilities in network services, requiring no user interaction after initial infection.

Adware vs. spyware: Adware delivers unsolicited advertising and may collect browsing data; it is not categorically malware if disclosed in a license agreement and limited in scope. Spyware crosses the classification threshold when it covertly harvests sensitive data — credentials, financial information, or communications — beyond what is disclosed.

For professionals evaluating incident response, threat intelligence, or endpoint protection service categories, the NIST Computer Security Incident Handling Guide (SP 800-61 Rev 2) provides the authoritative framework for malware containment and eradication phases. Service seekers using this digital security resource can cross-reference vendor specializations against these classification boundaries to identify providers whose scope matches the incident type.

References

📜 4 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...