What is Malware?

Malware (short for malicious software) is any program designed to harm, steal from, spy on, or take over a device without your consent. It is an umbrella term covering viruses, ransomware, spyware, trojans, worms, rootkits, fileless loaders, and cryptojackers. Most modern malware is not a virus. Virus is just one specific type within this much broader category.

CrowdStrike’s 2026 threat report puts the average eCrime breakout time at 29 minutes. The fastest recorded was 27 seconds. That is how long it takes an attacker to go from your first clicked link to full control of your network. Meanwhile, over 600,000 new malware variants are created every single day.

Malware Definition

The U.S. National Institute of Standards and Technology (NIST) defines malware as  “software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of a system.”  That deliberately broad umbrella covers every malicious program category you have ever heard of.

How Malware Differs From a Virus

A virus, by contrast, is one specific subcategory. It self-replicates by attaching itself to other programs or files, and it usually needs a user action (opening a file, running an executable) to spread. All viruses are malware, but most modern malware is not a virus.

Look at the big-name outbreaks. WannaCry is ransomware combined with a network worm, not a virus. Pegasus is mobile spyware deployed through zero-click exploits, not a virus. ILOVEYOU in 2000 was a genuine virus/worm hybrid that spread through Outlook, but that delivery model is rare today.

The word “antivirus” itself is a legacy name from the 1990s, when viruses dominated. Modern anti-malware tools cover the whole category, including threats that never touch a file the way a classic virus would.

  • Scope: Malware is the umbrella. Virus is one type under that umbrella.
  • Replication: Malware may or may not self-replicate. Viruses always do, via host files.
  • Delivery: Malware arrives through phishing, exploits, downloads, ads, USB, supply chain. Viruses typically require a user to open an infected file.
  • Typical examples: Malware includes ransomware, spyware, rootkits, trojans. Viruses include ILOVEYOU, Melissa, older macro viruses.

How Malware Actually Works: The 6-Stage Attack Chain

Ever reinstalled Windows and the infection came back a week later? That is not bad luck. That is stage 3 of the attack chain doing exactly what it was designed to do.

Stage 1: Entry. The attacker needs a way in. Common routes: phishing emails with malicious attachments, drive-by downloads from compromised websites, infected USB drives, exposed Remote Desktop Protocol ports, pirated software bundles, and tampered updates from trusted vendors.

Stage 2: Execution. The payload has to actually run. This might be an Office macro, a PowerShell script, an EXE, a sideloaded DLL, or the abuse of legitimate Windows binaries (LOLBins) like mshta.exe, rundll32.exe, or regsvr32.exe. If the attacker can make Windows run its own trusted tools against you, most antivirus products will not even flinch.

Stage 3: Persistence. This is why reboots and even reinstalls do not always help. The malware plants itself in registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, RunOnce), creates scheduled tasks, installs itself as a Windows service, subscribes to WMI events, or in the worst cases rewrites the Master Boot Record as a bootkit.

Stage 4: Concealment. The malware hides. It might disable Windows Defender, add itself to Defender’s exclusion list, use a stolen or forged code-signing certificate, or install a rootkit that lies to Task Manager about which processes are running. The PC Security Channel once demonstrated an infected machine where Task Manager looked pristine, because the malware had quietly whitelisted itself inside Defender.

Stage 5: Command and Control (C2). The malware phones home. It beacons out over HTTPS, DNS, or even Telegram channels to fetch instructions and upload whatever it has stolen: saved browser passwords, crypto wallets, session cookies, corporate documents.

Stage 6: Lateral Spread. On a network, the malware uses harvested credentials, SMB shares, RDP, or Active Directory trusts to jump to other machines. WannaCry famously used the EternalBlue exploit to infect roughly 200,000 computers across 150 countries in less than one working day.

The whole chain, from first click to full network compromise, now averages 29 minutes.

Entry → Execution → Persistence → Concealment → C2 → Lateral Spread.

Types of Malware

Fileless malware accounts for 86.2% of critical incident detections, yet 80% of antivirus products still cannot detect it. It is the biggest threat almost nobody names correctly.

1. Virus

The classic. A virus attaches itself to host files or programs and replicates when a user runs the infected file. Most modern “viruses” in news headlines are actually worms, trojans, or ransomware misnamed by habit.

2. Worm

A worm self-replicates across networks without needing a host file or user action. WannaCry spread as a worm using EternalBlue. Mirai spread as a worm across IoT devices with default passwords.

3. Trojan

Disguised as legitimate software. You download what looks like a video player, a cracked Office installer, or an invoice PDF, and it quietly installs something else. Zeus, the banking trojan, stole hundreds of millions of dollars by intercepting online banking sessions.

4. Ransomware

Encrypts your files and demands payment (usually crypto) for the decryption key. 2025 recorded 9,251 attacks, a 45% year-over-year increase, and 88% of those attacks hit small and mid-size businesses. LockBit, Akira, and Play are current leaders. Ransomware is now typically paired with data theft, so paying the ransom does not guarantee your stolen data will not be leaked.

5. Spyware

Covertly monitors activity. It captures screenshots, microphone audio, GPS, messages, and keystrokes. Pegasus, built by NSO Group, is the highest-profile example and has been used against journalists, activists, and politicians worldwide. Commercial stalkerware targeting spouses and partners is a quieter but huge category.

6. Adware

Forces ads, redirects your searches, and often ships bundled with free software. Not usually destructive, but the cheaper strains leak browsing data to whoever pays for it.

7. Rootkit

Embeds in the operating system kernel or the Master Boot Record. Rootkits load before Windows does and can effectively lie to the OS and to antivirus about what is running. They routinely survive full OS reinstalls.

8. Keylogger

Records every keystroke. Passwords, card numbers, private messages. Keyloggers are often a component inside a larger trojan or spyware package rather than a standalone tool.

9. Botnet Malware

Enlists your device into a zombie army used for DDoS attacks, spam, credential stuffing, or crypto mining. Mirai built a botnet out of unsecured IoT cameras and DVRs.

10. Fileless Malware

Lives entirely in memory, PowerShell, WMI, or legitimate Windows binaries. Nothing ever gets written to disk, so signature-based antivirus has nothing to scan. SocGholish is a well-documented fileless loader used to deliver ransomware. Fileless attacks are up 78% year over year.

11. AI-Powered Malware

The newest and fastest-growing category. PROMPTFLUX, documented in 2025, uses a live large language model to rewrite its own code at runtime for obfuscation. LAMEHUG is a Russian state-sponsored AI-enabled strain. AI-enabled adversary operations rose 89% year over year, and independent testing showed GPT-4 could write functional exploit code for 87% of the CVEs it was given.

The common thread is simple. All eleven are malware, most are not viruses, and the newest two (fileless and AI-powered) are specifically designed to defeat the antivirus you already have.

Real-World Malware Examples That Changed the Internet

Dr. Tony Bleetman, an NHS emergency consultant, watched every computer screen in his hospital turn red on May 12, 2017. Ambulances were diverted. Surgeries were cancelled. As he put it: “As I arrived, the WannaCry virus came up on everybody’s screen. We took an old-fashioned white board and marker pens, and we drew a plan of the department.”

WannaCry (2017)

200,000 computers, 150 countries, under one working day. The UK’s National Health Service alone absorbed an estimated £92 million in damages and disruption. Despite the scale, WannaCry generated under $200,000 in actual ransom. It was built on EternalBlue, an exploit stolen from the U.S. National Security Agency and dumped online by the Shadow Brokers. It was stopped almost by accident when researcher Marcus Hutchins registered a kill-switch domain for roughly $10.

Mirai (2016)

Mirai infected millions of IoT devices (cheap routers, security cameras, DVRs) that still used default factory passwords. The resulting botnet took down Dyn, a major DNS provider, which in turn knocked Twitter, Netflix, Reddit, Spotify, and much of the U.S. East Coast internet offline for hours.

Pegasus (Ongoing)

NSO Group’s mobile spyware. Pegasus uses zero-click iMessage exploits to compromise iPhones without the target ever tapping anything. It has been found on the phones of journalists, human rights lawyers, and heads of state. It is the clearest proof that “my phone is safer than a PC” is no longer a reliable assumption.

ILOVEYOU (2000)

A Filipino college student’s Visual Basic script, delivered as an email attachment pretending to be a love letter. It caused $5 to $10 billion in global damage and shut down email systems at the Pentagon, CIA, and UK Parliament. The perfect social engineering hook, because who deletes a love letter without reading it?

In every case, malware rode on stolen exploits, unpatched systems, or human trust. The attack vector changes every few years. The dependency on human oversight does not.

Signs of a Malware Infection

Task Manager says your PC is clean. Windows Defender agrees. But your browser is sluggish, your fan won’t quit, and something feels off. In Why Task Manager Hides Malware (And How to Find It), the MalwareFox team walks through exactly this scenario: a live infected machine that looks completely normal in every standard diagnostic tool, because the malware had added itself to Defender’s own exclusion list.

Visible Symptoms

These are the classic, noticeable tells:

  • Sudden slowdown, fans running at full speed, laptop hot to the touch (classic cryptojacking behavior).
  • New browser toolbars you did not install, a homepage that keeps reverting, constant search redirects.
  • Pop-ups that appear even when your browser is closed.
  • Programs crashing randomly, Blue Screen of Death, or Task Manager and Registry Editor suddenly disabled.
  • Files renamed with unfamiliar extensions like .locky, .wcry, or .encrypted. That is ransomware actively encrypting right now.
  • A noticeably higher electricity bill with no other explanation. Serious cryptojacking pulls real power.
  • Friends telling you they got weird DMs or emails from your accounts.

Invisible Symptoms

Modern malware is designed to leave no visible footprint. Watch for these instead:

  • Perfectly normal performance while your saved passwords are being exfiltrated in the background.
  • Antivirus that has been quietly disabled, or folders added to its exclusion list without your knowledge.
  • Outbound network traffic to unfamiliar IP addresses or countries (only visible in your router or firewall logs).
  • Your email address or saved passwords appearing in new breach notifications on Have I Been Pwned.
  • Login activity from countries you have never visited, shown in your Google, Microsoft, Apple, or Meta account security dashboards.

The absence of symptoms is not proof of safety. It might just be proof of a better-built piece of malware.

How Malware Spreads: The 7 Most Common Infection Routes

Knowing the seven most common infection routes closes roughly 95% of the attack surface a typical home user or small business faces.

  1. Phishing email. Still the most common entry point by a wide margin. Malicious Office attachments, ISO or ZIP files hiding scripts, and credential-stealing links to fake Microsoft or Google login pages.
  1. Drive-by downloads and malvertising. Legitimate-looking sites serve ads that carry exploit kits, or users are pushed to fake “your browser is out of date” prompts. SocGholish spreads this way through compromised WordPress sites.
  1. Pirated software and cracks. Trojanized installers from torrent sites and crack forums. KMS activators for Windows and Office are a classic delivery vehicle for coin miners and info-stealers.
  1. Infected USB drives. Still effective in 2026. Stuxnet used this route against Iran’s air-gapped nuclear centrifuges in the late 2000s, and USB-delivered malware is still common in corporate espionage.
  1. Exposed remote services. RDP, SSH, SMB, or VNC ports open to the internet with weak or reused passwords. This is the single biggest ransomware entry point for small businesses.
  1. Supply chain attacks. A malicious update pushed through a trusted vendor. SolarWinds (2020) compromised U.S. federal agencies. The 3CX breach (2023) affected hundreds of thousands of business phone installations.
  1. Mobile sideloading and malicious apps. Android APKs installed from outside Google Play, fake TestFlight invites on iOS, and trojanized apps that briefly slip past official store review.

Every route on this list can be blocked. None can be blocked by a single tool. Protection is always layered.

How to Protect Against Malware: A Layered Defense Strategy

You do not need ten security products. You need three layers, done well.

Layer 1: Hygiene (Free, Non-Negotiable)

Most malware exploits a bug that already has a fix. Patching is the single highest-return security task you can do.

  • Patch everything on a schedule: operating system, browser, browser extensions, router firmware, phone OS.
  • Multi-factor authentication on every account that offers it. Prefer an authenticator app or a hardware key over SMS.
  • Strong, unique passwords stored in a reputable password manager. Reused passwords are the fuel for credential-stuffing attacks.
  • Your daily-driver Windows account should not be an Administrator. Create a separate admin account you only use when needed.
  • Back up your important data to an offline or immutable copy, and test the restore at least once a quarter. An untested backup is a hope, not a backup.

Layer 2: Active Defenses (The Anti-Malware Stack)

  • Install a dedicated, behavior-based anti-malware tool that replaces Windows Defender as your primary protection. MalwareFox is built for exactly this: it takes over from Defender automatically (Defender steps aside), uses behavior-based detection to catch fileless and rootkit-adjacent threats, includes ransomware lockdown and zero-day protection, and starts at $24 per year for a single device with a 15-day free trial and no credit card required.
  • Use a reputable ad and tracker blocker in your browser, plus MinerBlock or a similar extension to stop in-browser cryptojacking.
  • Set your DNS resolver to Quad9, NextDNS, or Cloudflare 1.1.1.1 for Families. Malicious domains get blocked before your browser ever connects.

Layer 3: Behavior and Awareness

  • Treat every unexpected email, SMS, and DM as a potential phish until you can verify the sender through another channel.
  • Do not install software from outside official app stores or the vendor’s own website.
  • Check your email addresses against Have I Been Pwned every few months, and rotate any password that shows up in a breach.
  • If you run a business, schedule phishing-simulation training for staff, document your incident response plan, and actually test your offline backups once a month.

Three layers: hygiene, active defense, behavior. That stops the overwhelming majority of attacks. Everything beyond it is diminishing returns.

  • Patch everything on a schedule: operating system, browser, browser extensions, router firmware, phone OS.
  • Multi-factor authentication on every account that offers it. Prefer an authenticator app or a hardware key over SMS.
  • Strong, unique passwords stored in a reputable password manager. Reused passwords are the fuel for credential-stuffing attacks.
  • Your daily-driver Windows account should not be an Administrator. Create a separate admin account you only use when needed.
  • Back up your important data to an offline or immutable copy, and test the restore at least once a quarter. An untested backup is a hope, not a backup.

Layer 2: Active Defenses (The Anti-Malware Stack)

  • Keep Windows Defender (or your built-in AV on macOS) turned on as your baseline. It is genuinely good at catching commodity threats.
  • Add a dedicated, behavior-based anti-malware scanner for the gap Defender misses: fileless threats, exclusion-list bypasses, zero-days, and ransomware in progress. MalwareFox is built specifically for this layer. It runs quietly alongside your existing antivirus instead of fighting it, uses behavior-based detection to catch fileless and rootkit-adjacent threats, includes ransomware lockdown and zero-day protection, and starts at $24 per year for a single device with a 15-day free trial and no credit card required.
  • Use a reputable ad and tracker blocker in your browser, plus MinerBlock or a similar extension to stop in-browser cryptojacking.
  • Set your DNS resolver to Quad9, NextDNS, or Cloudflare 1.1.1.1 for Families. Malicious domains get blocked before your browser ever connects.

Layer 3: Behavior and Awareness

  • Treat every unexpected email, SMS, and DM as a potential phish until you can verify the sender through another channel.
  • Do not install software from outside official app stores or the vendor’s own website.
  • Check your email addresses against Have I Been Pwned every few months, and rotate any password that shows up in a breach.
  • If you run a business, schedule phishing-simulation training for staff, document your incident response plan, and actually test your offline backups once a month.

Three layers: hygiene, active defense, behavior. That stops the overwhelming majority of attacks. Everything beyond it is diminishing returns.

What to Do If You’re Already Infected

The first 30 minutes after you spot malware decide whether you lose an afternoon or lose your business. Here is the order of operations.

First 30 Minutes: The Immediate Checklist

  1. Do not reboot yet. Some malware completes its damage routine, wipes forensic evidence, or finalizes encryption on restart. Keep the machine running.
  2. Disconnect from the internet. Unplug the Ethernet cable, turn off Wi-Fi, and disable any cellular hotspot. This cuts the command-and-control channel and stops lateral spread.
  3. Disconnect external drives and pause cloud sync. OneDrive, Dropbox, Google Drive, and iCloud will happily sync your newly encrypted files over your clean backups if you let them.
  4. Document what you see. Screenshots of ransom notes, unusual processes, pop-ups, and file extensions. You will need this for insurance claims, law enforcement, and any incident response firm you bring in.
  5. Do not pay the ransom yet. Under 50% of ransomware victims who pay get a working decryptor, and paying funds the next attack. Contact your cyber insurance provider, an incident response firm, or your national cybercrime unit first.

How to Remove Malware

  1. Boot into Safe Mode with Networking, or into the Windows Recovery Environment if you suspect a rootkit or bootkit.
  2. Run a reputable behavior-based anti-malware scanner. MalwareFox is designed for exactly this job. It replaces Windows Defender as your primary protection (Defender steps aside automatically), catches fileless and rootkit-adjacent categories Defender misses, performs deep on-demand scans, and removes persistence artifacts like registry Run keys and scheduled tasks.
  3. Cross-check with a second on-demand scanner (Malwarebytes Free is a good second opinion). No single engine catches everything.
  4. Manually review persistence locations if anything still feels off: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Task Scheduler, and the Services console. Unknown entries with random names are suspect.
  5. Rotate every important password from a separate, known-clean device (your phone on mobile data is fine). Enable MFA everywhere it is offered.
  6. Check every email address you own against Have I Been Pwned. Assume anything breached is actively being used.
  7. If you have strong evidence of a rootkit (repeated reinfection, boot-level strangeness, AV crashing on startup), wipe and reinstall Windows from known-good media. For UEFI or MBR rootkits, perform a low-level disk format before reinstalling.

Most infections are recoverable if you act in the right order. Panic and reboot is what turns a recoverable incident into a catastrophic one.

Download MalwareFox

Frequently Asked Questions

Can malware infect my phone or tablet?

Yes. Android is the more common target because of sideloading, but iOS is not immune. Pegasus spyware has repeatedly compromised fully patched iPhones using zero-click iMessage exploits. Common mobile threats include banking trojans in fake apps, stalkerware installed by a partner, and malicious configuration profiles delivered through phishing links.

What is fileless malware?

Fileless malware runs entirely in memory, PowerShell, WMI, or legitimate Windows binaries without ever writing a file to disk. Because there is no file to scan, signature-based antivirus has nothing to match against.

How does malware spread across a network?

Once a single machine is compromised, malware typically harvests cached credentials and uses legitimate protocols (SMB shares, RDP, Active Directory trusts) to log into other machines. Worm-style threats like WannaCry use network exploits to spread without credentials at all.

What are the most common signs of a malware infection?

Visible signs include sudden slowdowns, overheating, browser redirects, pop-ups when the browser is closed, disabled Task Manager, and files renamed with unusual extensions. Invisible signs include unexplained logins from unfamiliar countries.

Does Windows Defender catch all malware?

No. Defender handles common, file-based threats but has documented gaps: fileless malware can add itself to Defender’s exclusion list to blind it, and rootkits load before Defender does and hide from its scans entirely. MalwareFox replaces Defender as your primary protection — Defender steps aside automatically — and adds behavior-based detection that catches what signature scanning misses.

Leave a Comment