What "malware" actually means
Malware is software written to do something the owner of the device would not consent to if asked. That definition does most of the work. It excludes annoying-but-consented software (advertising in free apps), includes software the user voluntarily installed without understanding its full behavior (most spyware), and makes intent — not technique — the deciding factor.
Every operational definition that's tried to be more precise (e.g., "code that self-propagates") has produced a list of bad-citizen software it excludes (e.g., a banking trojan that just sits there). The intent test is sloppy but right.
The three axes
Any malware sample sits somewhere on each of these axes. Together they describe the sample more usefully than any single label.
Intent
The goal the attacker is chasing. Money (ransomware, banking trojans, cryptojackers), espionage (state actors, APTs), disruption (NotPetya, Stuxnet), or chaos (some early worms). Intent drives every other design choice.
Propagation
How copies of the malware get from one machine to another. Worm (self-replicating, network), virus (host-dependent), trojan (user runs it voluntarily), supply chain (poisoned legitimate software), watering hole (compromised popular site), USB / removable media.
Payload
The action it performs once running. Encrypt-and-demand (ransomware), steal-and-exfiltrate (infostealers, spyware), persist-quietly (backdoors, RATs), abuse-the-host (cryptojackers, DDoS bots), or destroy-data (wipers).
The journalist names are combinations of these three. Ransomware = profit-intent + any-propagation + encrypt-payload. Worm = mostly describes propagation alone, with the other axes varying. Trojan = describes propagation (deception) only. Two pieces of malware with the same name can be wildly different on the other two axes; two pieces with different names can be nearly identical.
Try it — the classifier
Pick a value on each axis. The classifier tells you which named family this sample most resembles, plus a real-world example matching that combination.
The parasitic family — covered briefly here
Three malware families share enough characteristics (low-intensity, often technically legal, often user-consented at install) that they get grouped together rather than each having a dedicated page.
| Family | What it is | How it pays the attacker |
|---|---|---|
| Spyware | Software that observes the user without their knowledge: keystrokes, screen, browsing history, microphone, location. Includes nation-state implants (Pegasus) and commodity stalkerware (mSpy, Cocospy). | Sold intelligence (commercial), domestic abuse (stalkerware), corporate espionage. |
| Adware | Software that injects ads into the user's experience — browser injects, search-result redirects, pop-ups. Lives in the gray zone of consent (many users technically "agreed" via an installer). | Affiliate revenue, ad fraud, traffic resale. |
| Cryptojackers | Software that uses the victim's CPU / GPU to mine cryptocurrency (almost always Monero). Browser-based (Coinhive, 2017–2019) and binary forms (XMRig dropped onto compromised servers). | Direct — the mined coins go to the attacker's wallet. |
The grouping is useful because the defense against all three is similar: behavioral detection (these processes act weird), egress filtering (mining pools and adware C2 are predictable), and platform-level controls (iOS lockdown mode, hardened browser policies). The categories you see on the section index — viruses, worms, trojans, ransomware, rootkits — deserve their own pages because their defenses diverge.
Notes on the labels you'll see in the wild
- "Virus" in casual usage means any malware, but strictly it means host-dependent self-replication — the malware attaches to a legitimate file and rides along when the file is executed. True viruses are vanishingly rare in 2026 because operating systems and packagers stopped making the host-attachment trick easy.
- "Trojan" describes propagation (the user runs it voluntarily), not behavior. A "banking trojan" is a trojan whose payload is credential theft from banking sessions; a "ransomware trojan" is a trojan whose payload is encrypt-and-demand.
- "Bot" / "RAT" describe payload — remote-controllable agents. Most modern RATs (NetSupport Manager, Cobalt Strike when misused, AsyncRAT) are also trojans (delivered by deception) and may have worm-like spreading capability after initial access.
- "APT" (Advanced Persistent Threat) names the actor, not the malware. APT-attributed campaigns use the same malware families as criminal campaigns; the difference is patience and objective.
- "PUP" / "PUA" (Potentially Unwanted Program / Application) is a vendor euphemism for malware that's lawyer-borderline — usually adware or aggressive freeware bundlers.
The next six pages
Each one drills into a family that needs more than a row in a table:
- Viruses & Worms — the propagating originals.
- Trojans, Droppers, Loaders — the deception family and modern multi-stage chains.
- Ransomware — the headline category of the 2020s.
- Rootkits & Bootkits — persistence at the lowest possible layer.
- The Kill Chain — the lifecycle every campaign moves through.
- Defenses — the modern stack that disrupts the chain.