Malware Explained
Malware is any software or firmware intentionally designed to perform unauthorized actions that compromise the confidentiality, integrity, or availability of a computer system. NIST defines it as software "intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system." The term combines "malicious" and "software" and serves as the umbrella category for all hostile code, from simple viruses to sophisticated fileless implants.
Email remains the dominant delivery channel for malware. Attackers embed payloads in attachments (macro-enabled Office documents, password-protected ZIP archives, HTML files with embedded scripts) or link to compromised websites that trigger a drive-by download attack. CISA classifies malware alongside phishing as one of the top cyber threats facing organizations.
Types of Malware
Malware falls into several distinct categories based on behavior and propagation method:
- Viruses. Self-replicating code that attaches to legitimate programs or files and executes when the host file runs. Requires user action to spread.
- Worms. Self-propagating malware that exploits network vulnerabilities to spread across systems without user interaction.
- Trojans. Malicious programs disguised as legitimate software. Unlike viruses and worms, trojans do not self-replicate but rely on social engineering to trick users into executing them.
- Ransomware. Malware that encrypts files or locks system access and demands payment for restoration. Ransomware has become one of the most financially destructive malware categories, with organized groups offering ransomware-as-a-service toolkits on underground markets.
- Spyware. Software that covertly monitors user activity, captures keystrokes, harvests credentials, or exfiltrates data. Spyware often arrives bundled with seemingly harmless applications.
- Rootkits. Malware designed to maintain persistent, privileged access to a system while actively hiding its presence from security tools and administrators.
- Fileless malware. Attacks that execute entirely in memory, leveraging legitimate system tools (PowerShell, WMI, macros) rather than dropping files to disk. These attacks evade traditional signature-based detection because they leave minimal forensic artifacts.
How Malware Evades Detection
Modern malware uses multiple techniques to bypass security controls, many of which are cataloged in the MITRE ATT&CK framework:
- Polymorphic code. The malware modifies its own code or encrypts its payload with a different key each time it propagates, making signature-based detection unreliable.
- Sandbox evasion. Payloads detect when they are running inside analysis environments and delay execution or alter behavior to appear benign. Techniques include checking for virtual machine artifacts, monitoring mouse movement, and waiting for specific time intervals.
- Steganography. Attackers hide malicious code within image files, audio, or documents. Steganography allows payloads to pass through content filters that scan only for known executable formats.
- HTML smuggling. Malicious scripts embedded in HTML attachments or web pages assemble the payload on the client side after delivery, bypassing network-level inspection that scans for known malware signatures.
- Living-off-the-land. Fileless techniques that abuse legitimate operating system tools (PowerShell, certutil, mshta) to download and execute malicious code without introducing new binaries.
Defenders rely on indicators of compromise (file hashes, command-and-control domains, registry modifications) to identify malware after execution. However, the shift toward fileless and polymorphic techniques means that behavioral analysis and anomaly detection are increasingly necessary alongside traditional signature matching.
Malware Protection from IRONSCALES
IRONSCALES detects malware delivery attempts through behavioral AI analysis of email attachments, embedded links, and sender patterns before payloads reach the inbox.
Related Terms
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.