Structured data rendered for: unknown
INVADERS
Back to Glossary

Malware

Lucas Oliveira
8/13/2025
Cybersecurity Definition

Malware

Malware is malicious software—viruses, worms, Trojans, ransomware—designed to disrupt, damage or steal data.[1] Authors leverage obfuscation, packing and code signing abuse to evade detection. Ransomware affiliates use double-extortion, threatening data leaks alongside encryption. Defences include layered AV, exploit mitigations, threat-intel sharing and user education.

Malware: A Field Guide to Understanding, Detecting, and Disrupting Malicious Software

Security teams face a relentless stream of malware—from commodity stealers to bespoke implants. This guide breaks down how modern families operate, how they persist and evade, and how to detect, contain, and eradicate them at scale.

Table of Contents

What Is Malware?

Malware is software intentionally designed to harm, disrupt, or provide unauthorized access. Most families mix capabilities—credential theft plus lateral movement, data staging plus extortion—to maximize return on compromise.

Why Malware Persists

Rapid iteration, code reuse, and resilient infrastructure keep families alive. Gaps such as unmanaged identities, flat networks, and weak allow‑listing create dependable ROI for adversaries.

Common Categories

  • Ransomware Ransomware
  • Infostealers and banking trojans
  • Remote access trojans (RATs)
  • Worms and botnets

Kill Chain Essentials

  • Initial access: phishing, drive‑by, supply chain
  • Execution: script loaders, LOLBins, signed proxy binaries
  • Persistence: run keys, tasks, WMI subscriptions
  • Privilege escalation: token abuse, kernel bugs
  • Credential access: LSASS scraping, browser stores
  • Lateral movement: SMB, WMI/WinRM/SSH
  • Impact: exfiltration, double extortion, encryption

Evasion and Persistence

Expect packers, API unhooking, encrypted C2, staged modules. Hunt for unexpected parent/child chains, RWX memory, and script engines spawning network tools.

Behavior-First Detection

  • Host: injection patterns, suspicious module loads, script‑block anomalies
  • Identity: anomalous token usage and sudden privilege elevation
  • Network: beacon intervals, JA3/JA4 shifts, DNS tunneling
  • Content: YARA for shared traits YARA Rules

Response Playbook

  1. Scope: isolate endpoints, snapshot memory, capture volatile artifacts.
  2. Contain: block C2, revoke tokens, quarantine identities.
  3. Eradicate: remove persistence, reimage critical assets, rotate secrets.
  4. Recover: restore from immutable backups; verify with canaries.
  5. Learn: reconstruct the timeline; improve detections and hardening.

Prevention That Moves the Needle

  • Allow‑listing and script control; attack surface reduction
  • Strong identity hygiene Access Control
  • Network microsegmentation to cap lateral movement
  • Rapid patch cycles; virtual patching at gateways
  • Supply‑chain signing and verification

FAQ

  1. How do we catch new variants?
    Behavior detections outlive families; complement with YARA signatures.

  2. Are backups enough?
    Only if offline/immutable and tested regularly.

  3. What offers the best ROI?
    Attack surface reduction, least privilege, and segmentation.

Related Reading