08.03 · The deception family

Trojans, Droppers, Loaders

A worm forces its way in. A trojan gets invited. Modern campaigns don't ship a single payload — they ship a chain, where each stage's only job is to fetch and run the next one. That chain is the dominant malware-delivery pattern of the 2020s.

The four words you need to keep straight

These get used interchangeably even by vendors who should know better. They mean different things.

Trojan

Any malware delivered by deceiving the user into running it. Describes how it arrived, not what it does. A "banking trojan" is delivered by deception and steals banking credentials.

Dropper

A binary whose only job is to drop another binary on disk and run it. Often packs the next stage as encrypted bytes inside itself. Once the next stage runs, the dropper deletes itself.

Loader

A dropper that fetches its next stage from the internet rather than carrying it. Smaller, more flexible (the operator can swap payloads without re-delivering), harder to analyze statically because the payload isn't in the file.

Stager

A loader that fetches a minimal next stage which itself fetches more — usually shellcode in memory. Common in red-team frameworks (Cobalt Strike, Sliver, Mythic). Designed to keep file-on-disk artifacts minimal.

In a modern campaign, the user opens a phishing attachment (a trojan), it drops a small loader, the loader fetches a Cobalt Strike beacon (a stager), and the beacon eventually pulls down the final payload (e.g. ransomware). Four distinct binaries, each detectable only briefly, none of them carrying the dangerous one in plaintext at any point.

A real chain — the Emotet / TrickBot / Ryuk lineage

The most-studied attack chain of 2018-2021. Emotet was the loader-as-a-service; TrickBot was the post-exploitation toolkit; Ryuk (and later Conti) was the ransomware payload. Each one was deployed and operated by a different criminal crew, each selling access to the next one up the food chain.

Multi-stage attack chain
Stage 1

Phishing email

trojan (deception layer)

"Invoice attached." Word document with a malicious macro. User opens it, clicks "Enable Content," macro fires. Payload at this stage: a tiny PowerShell command.

Stage 2

Emotet loader

loader (fetch & run)

PowerShell downloads Emotet's main binary. Emotet establishes persistence, contacts its C2 over HTTPS, and waits for instructions. The instructions are usually: fetch and run the next module.

Stage 3

TrickBot modules

stager + tools

Emotet drops TrickBot, which dynamically loads modules: Mimikatz for credential harvesting, lateral-movement modules, Cobalt Strike beacon. Operators map the network, escalate to domain admin.

Stage 4

Ryuk / Conti ransomware

final payload

After 2-14 days of recon, the operators deploy ransomware to every reachable machine simultaneously — usually overnight, usually after disabling backups. Encryption finishes before incident responders can react.

Why this design works: at no point does a single binary contain the dangerous payload. Stage 1 is a Word macro — trivial to write, easy to update. Stage 2 is a small loader that does nothing illegal-looking on its own. The ransomware payload is fetched only when the operators are ready, and only to networks they've already mapped. Detection at each stage requires different signals; missing the early stages means encountering the late stages with no time to react.

Why modular won

In the 2000s a single binary did everything — propagation, persistence, payload. In the 2020s those jobs are split across separate stages run by separate teams. The split has structural advantages for attackers:

  • Specialization. The loader operator (Emotet, Qakbot, IcedID) focuses on access. The post-exploitation operator (TrickBot, Cobalt Strike) focuses on lateral movement. The ransomware operator (LockBit, BlackCat) focuses on encryption. Each team sells its capability to the others as a service.
  • Defensive evasion. Each stage is small. If a signature catches stage 2, swap stage 2; the loader's customers (paying $5K/month) get an update overnight. Signature-based detection is structurally one step behind.
  • Selective payloads. The loader operator can see what kind of network they landed in. Hospital? Drop ransomware. Government agency? Sell access to an espionage team. Random consumer? Drop infostealers. One foothold, multiple monetization paths.
  • Quick replacement. When law enforcement takes down a loader family (Emotet got knocked over in January 2021), the ecosystem reorganizes around the next one (Qakbot, IcedID, Pikabot) within months. The chain is more durable than any single link.

Notable trojans & loaders

YearFamilyRoleNotable
1989AIDS TrojanFirst ransomware-style trojanMailed on floppy disks claiming to be AIDS info; encrypted file names; demanded payment to a Panama PO box.
2006ZeusBanking trojanStole banking credentials via form-grabbing; the source code leaked in 2011 and powered a generation of derivatives (Citadel, Gameover Zeus).
2014EmotetLoader / loader-as-a-serviceStarted as a banking trojan, pivoted to selling delivery to ransomware crews. Taken down by international LE in Jan 2021; rebuilt itself by late 2021; finally faded ~2024.
2016TrickBotPost-exploitation toolkitModular: credential theft, lateral movement, browser injects. Paired with Ryuk and Conti. Microsoft and U.S. Cyber Command disrupted its infrastructure in October 2020.
2017Cobalt Strike (misuse)Stager + post-exploitation frameworkLegitimate red-team tool whose cracked versions became the dominant criminal C2 framework. Implicated in roughly two-thirds of major intrusions from 2020-2023.
2020IcedIDLoaderStepped into Emotet's gap after the 2021 takedown. Distributed via macro-laden Office docs, then via ISO/IMG containers when Microsoft killed macros.
2022QakbotLoaderLong-running family revived as a primary delivery vehicle. Taken down by FBI in August 2023; partial resurgence late 2023.
2023PikabotLoaderFilled the post-Qakbot gap. Lives in the same niche as IcedID: phishing → small loader → sells access.

Defenses at this layer

  • Disable Office macros by default. Microsoft started blocking macros from internet-downloaded files in 2022; configure Group Policy to block them entirely for users who don't need them.
  • Block dangerous file types at the email gateway. ISO, IMG, VHD, LNK, JS, VBS, HTA, MSI, OneNote — the loader carriers du jour. The list keeps changing; subscribe to update feeds.
  • Application allowlisting. Microsoft AppLocker / WDAC, Linux SELinux. If only signed software from approved publishers can run, droppers cannot start their next stage.
  • Egress filtering. Loaders depend on calling home. If the workstation can't reach arbitrary internet hosts, the loader is inert.
  • EDR with behavior detection. Static signatures lose to multi-stage chains. EDR looking for Word spawning PowerShell spawning a network connection wins, because that pattern is universal across loader families.
  • User training. Will not save you alone, but the average user clicking 50% fewer attachments is the cheapest defensive improvement available.