Malware lexicon: what is malware and what types are there?

Malware, short for Malicious Software, is a generic term for any type of program, script, or code designed to harm a computer, network, server, or other device or system. Malware can be distributed in a number of ways - via infected email attachments, active downloads from unsafe sources, passive downloads from compromised websites, and exploiting exploits and Backdoors. The consequences of a malware attack range from data theft and system failures to identity theft and financial losses. In this guide you will find the most important types of malware and related terms.

Malware comes in different forms and with different methods of getting it onto computers and smartphones. Here you will find all types of malware with further links and well-known examples.
Malware comes in different forms and with different methods of getting it onto computers and smartphones. Here you will find all types of malware with further links and well-known examples.

Malware and known examples

Below you will find the different types of malware - from the well-known virus to worms and Trojan horses to DDoS attacks and cryptojacking. For each type or approach to malware usage, I've picked a few well-known examples for you. 


A computer virus is malware that can duplicate and spread itself by hiding in other programs or files. Much like a biological virus, its digital counterpart spreads from an infected system to other computers when infected files are transferred or shared. A computer virus can delete files, crash apps and systems, and cause harm to others. Details are here: What is a computer virus?

Examples of known computer viruses:

  • Michelangelo: Despite the first viruses starting in 1985, the Michelangelo virus caused major media coverage of malware for the first time in 1992. It was a boot virus for DOS systems.
  • Macro viruses: Viruses that hid in Office documents from 1995 and exploited their automations ("macros") to spread. The most common way was via email attachments with Word or Excel documents.
  • JavaScript and HTML viruses: Various viruses that attacked websites and infected PCs via the “Windows Scripting Host” from 1998 when their users called up the infected websites.
  • Metamorphic and polymorphic viruses: In the early 2000s, complex viruses driven primarily by the "29A" virus group that could not be fully detected by antivirus apps. examples are Win32.MetaPHOR and Win32.ZCrap.
  • Vista and Symbian viruses: The last notable virus threats appeared in 2005, for Windows Vista and the mobile operating system Symbian. From 2006 onwards, the danger posed by this type of malware then rapidly succumbed.


A computer worm is a standalone piece of malware that actively spreads across networks without user intervention. Like a computer virus, a worm can replicate itself, but it can also install itself on other systems by exploiting security gaps or finding weak points in the network. Computer worms can cause significant damage by consuming system resources, overloading networks, or stealing confidential information. Like Trojans, they can also be used to spread other types of malware. Details are here: What is a computer worm?

Examples of known computer worms:

  • Love letter / ILOVEYOU: Probably the most well-known computer worm (often wrongly referred to as a virus), which disguised as an e-mail love letter was received by the victims from 2000 and then spread further from their inboxes. The damage is said to be over $10 billion.
  • MyDoom: Worm spread via peer-to-peer systems since 2004, which is said to have caused damage of 38 to 40 billion euros and is therefore the most harmful malware to date.
  • Sluxnet: Unusually complex worm that, starting in 2010, exploited several vulnerabilities in the Windows operating system and had a corresponding file size. It was used by secret services to sabotage facilities.

Trojan Horse

A Trojan horse, or Trojan for short, is a type of malware that disguises itself as legitimate software in order to download and run. The expected program can even work while the malware runs in the background – it can load additional software, scan or delete memory, enable remote control, and much more. Details are here: What is a Trojan horse?

Examples of known Trojan horses:

  • Zeus / ZeuS / Zbot: A Trojan horse used for the first time in 2007 that downloads software that is primarily intended to spy on banking data and capture passwords by recording keystrokes. In 2009, it became known that several large companies were among the victims.
  • Emotet: A 2014 first used, but 2019 and 2020 Trojan horse that has become widely known, which spread like a worm via the e-mail contact lists of infected systems as well as via WordPress and loaded further malware after execution. From 2022 there was an increase in Emotet cases again.
  • SLEEP: Combination of Trojans and ransomware that has mainly affected Android devices since 2022.


Spyware is malware that is secretly installed on a system to monitor activity and collect data without users' knowledge or consent. This information can include personal information and files, browser information, passwords, banking information, and even camera and microphone access. Spyware can occur in private as well as in business areas. Details are here: What is spyware?

Examples of known spyware:

  • Regin: Complex spyware distributed via a Trojan horse, which acts in several stages and uses a virtual system in which to use up to 50 tailor-made modules to spy on Windows computers. Targets were politics, companies and organizations.
  • Pegasus: Commercial spy software developed by NSO Group for iOS and Android devices (primarily smartphones), documented as of 2016. She performs a "hidden jailbreak" and passes on all sorts of info.
  • FlexiSPY: Commercially offered spy software for mobile devices that is advertised for private end customers.


Stalkerware is a special type of spyware specifically designed to secretly monitor and track someone without their consent. It is often used by toxic (ex) partners, stalkers or other overly curious individuals to view private information such as location data, text messages, call logs and even photos or videos. Stalkerware can get onto the device via physical access, but also via Trojan horses or phishing. Details are here: What is stalker ware?

Examples of known stalkerware:

  • FlexiSPY: Along with spyware, also defined as stalkerware through (non-consensual) use on devices of private contacts for the purpose of monitoring them.
  • mSpy: App offered for iOS, Android, macOS and Windows as of 2010 and promoted for parents to monitor their children's digital activities. It can be misused to spy on and track other people (ex-partners, colleagues, etc.), which is why it is listed here as stalkerware.
  • Highster mobile: Stalkerware commercially offered for iOS and Android.


Ransomware serves to block access to the infected system or the files it contains. It then demands a ransom from the victims for unlocking the system or memory. Ransomware can be distributed via email attachments, drive-by downloads, or exploits in outdated software. Paid ransom, mostly demanded in cryptocurrencies,  does not guarantee the release of the data. The best protection is regular backups. Details are here: What is ransomware?

Examples of known ransomware:

  • WannaCry: One of the names that made ransomware widely known as of 2017. The WannaCry ransomware spread as a network worm via the Internet and blocked users' data access to their former Windows systems worldwide. 
  • EV ransomware: Malware that also became known in 2017, which attacked WordPress websites in order to persuade their operators to pay a ransom. You can find our post from back then here.
  • MacRansomware: Malware developed for macOS that demanded payment in bitcoins in order to release the encrypted content. You can find our contribution to this here.


A rootkit is used to gain privileged access to a computer system with admin rights and to remain in it permanently without being detected. A rootkit can take control of the operating system by exploiting vulnerabilities or bypassing security mechanisms. It mostly hides by manipulating important system files/processes. Rootkit use can be used for espionage or Trojan horse activities. Details are here: What is a rootkit?

Examples of known rootkits:

  • Sony BMG rootkit: Programs automatically installed on computers when reading CDs, which were used to manage the rights of music CDs and regulate the copying process. They introduced security vulnerabilities on computers, making them vulnerable to targeted attacks. This became known in 2005.
  • Zeus rootkit: Rootkit introduced for the above Zeus Trojan to better hide the malware and make it more difficult to remove.
  • Keydnap: A rootkit trojan disguised as a screensaver app designed to steal Apple Mac's iCloud keychain passwords. This rootkit created a backdoor to allow further attacks.

Boot kit

A bootkit infects the computer's startup process. It installs itself on the Master Boot Record (MBR) or the Unified Extensible Firmware Interface (UEFI) and is activated as soon as the operating system loads. Bootkits are particularly dangerous because they run before most security measures, and therefore allow criminals to penetrate deep into the system without being detected. They can be viewed as a subcategory of rootkits. Details are here: What is a boot kit?

Examples of known bootkits:

  • Stoned boot kit: Malware used as early as the late 1980s that first infected the Master Boot Record (MBR) of floppy disks and in later versions could also infiltrate the MBR of hard drives.
  • Alureon / TDSS / TDL-4: Malware first identified in 2007 and loaded onto computers in the form of a Trojan horse, which should remain undetected due to its bootkit character in order to read out and forward sensitive data. Described as "indestructible" in some media outlets in 2011, she was still active in 2012.
  • Thunderstrike: Malware developed by security researchers in 2014 as a proof of concept that could be used via compromised Thunderbolt devices on the Apple MacBook if connected to the device during the boot process.


Exploit means translated simply "to be used", but with regard to computer systems it stands for the process combined with it. Because as part of an exploit, a software vulnerability – a so-called security gap – is exploited in order to attack the device that has become vulnerable as a result. The attack often happens without the victim doing anything and can vary in scope depending on the type and scope of the security gap. An exploit is not malware per se, but a closely related term. Details are here: What is an exploit?

Examples of known exploits:

  • EternalBlue: An exploit developed by the NSA for a Windows vulnerability, dubbed "Eternal Bluescreen" internally. Parts of the development program fell into the hands of hackers and, starting in 2017, were used to distribute the aforementioned WannaCry ransomware.
  • Petya: An exploit also targeting the EternalBlue vulnerability that caused significant damage to companies and organizations as of 2017. 
  • Meltdown/Spectre: Vulnerabilities and thus exploit points on modern processors that could be exploited from 2017. The focus of the reporting was on Macs and iPhones as possible targets. You can find our posts from back then here and here.


A backdoor is a method or program that is introduced into a computer system to allow access, usually secret. While openly communicated backdoors are created in apps or systems for maintenance or remote access purposes, the backdoors secretly created by hackers are more of a gateway for data theft or the installation of other malware. Details are here: What is a backdoor?

Known examples of backdoors:

  • Back Orifice: A tool for remote maintenance of Windows computers, often exploited as a tool for unwanted remote access. It was distributed by the Cult of the Dead Cow hacker group in 1998.
  • PoisonIvy / Poison Ivy / Backdoor.Darkmoon: A remote access tool that got onto victims' computers via Trojan horses. It was developed around 2005 and led e.g. B. in 2011 for serious hacks.
  • Dark Comet: Remote Access Trojan (RAT) developed in 2008 and widely used from 2012 onwards. From 2014 it was used by the Syrian government to monitor the computer activities of the population.

DoS and DDoS attacks

DoS stands for "Denial of Service" and describes the attack on a network or server in order to disrupt their regular operation. The goal is to block the service by overloading the resources for regular users. When a bot network consisting of several infected computers is attacked in order to send an excessive number of requests in a coordinated manner, this is referred to as a DDoS attack. DDoS stands for "Distributed Denial of Service". For private users, there is a risk that their own computer will be taken over unintentionally and used for attacks in the bot network. Details are here: What are DoS and DDoS attacks?

Examples of known DoS / DDoS attacks:

  • Mirai: Malware that infected Linux devices and integrated them into a botnet to carry out large-scale attacks on websites and servers. It was used e.g. B. in the attack on the DNS service Dyn, which led to the failure of large online services such as Reddit, Spotify, Airbnb, Twitter and Netflix in 2016.
  • GitHub DDoS attack: In 2018, GitHub was hit by a massive DDoS attack, in which hundreds of gigabits per second (peak at 1,35 terabits) of traffic were fired at the platform. The attack was strengthened by so-called amplification techniques.
  • AWS DDoS attack: In 2020 there was a DDoS attack of unprecedented proportions on the Amazon Web Services servers. The attack used third-party servers to increase the amount of data sent by up to 70 times. Peaks of the three-day attack were 2,3 terabytes per second.


Cryptojacking describes the secret takeover of computer resources, especially the computing power of the processor (CPU) and graphics card (GPU) to generate cryptocurrencies. Criminals use exploits, Trojan horses, or other means to gain access to computers, mobile devices, or entire networks in order to perform complex mathematical calculations necessary to generate cryptocurrencies. Details can be found here: What is cryptojacking / cryptojacking?

Examples of known cryptojacking malware:

  • Coinhive: JavaScript-based cryptojacking embedded in websites to exploit the computing power of the computer to create Monero cryptocurrency when visiting them.
  • WannaMine: A cryptojacking malware brought to computers through vulnerabilities and propagated in a worm character. It was repeatedly designed for new vulnerabilities in order to be able to be used for a long time.
  • PowerGhost: A cryptomining program planted primarily on corporate networks that, starting in 2018, was distributed in several phases in order to remain undetected for as long as possible.

Not malware, but associated with it

In the following you will find program types that are not assigned to malware per se. However, they are repeatedly associated with it because they are either smuggled in via dubious ways, offer gateways for malware or are simply annoying and thus negatively affect the user experience on the computer.


Riskware, short for "Risky Software," refers to programs or tools that do not in themselves have malicious intent but offer the potential for security risks. Riskware can have features that can be exploited by malware or external attacks. In addition to insecure programs and system tools, tools used for IT research may also lead to their execution and thus to damage in addition to the aim of detecting and examining malware. Details are here: What is Riskware?


Grayware, sometimes called "Potentially Unwanted Programs" (PUPs), is software that isn't directly classified as malware, but can still perform unwanted or questionable actions. This includes, for example, displaying advertisements, collecting user data or slowing down the system in general. Grayware can also be adware (advertising software). However, the term can also refer to software from a legal gray area, such as video game console emulators or torrent downloaders. Details are here: What is grayware?


Adware is advertising software ("advertisement") that displays advertisements on a computer, mobile device or web browser. It may be installed with free apps or programs from dubious sources. It generates revenue for its developers by displaying advertisements that lead to the target websites via affiliate links. These recognize the source of the page view and the developers receive a commission. While adware is not inherently harmful, it is annoying and negatively impacts user experience. Details are here: What is adware?


Nagware is also annoying software that keeps showing notifications or pop-ups. However, no third-party content is advertised, but the purchase of your own full version. So if you only use the basic versions of a free app trial version, you can feel annoyed by the frequent requests to purchase the full-featured paid version - especially since the frequent instructions disrupt the workflow and break the work routine. Nagware is not malware per se, but is often perceived as annoying. Details are here: What is nagware?


Scareware, also known as "fake antivirus apps" or "rogue software", is the name given to deceptive programs and pop-up messages designed to trick users into believing fake security alerts or threats on their computer. Scareware aims to create fear and make a quick and thoughtless software purchase to eliminate the supposed threats. In addition to the financial loss, there is a risk of downloading additional malware. Details are here: What is scareware?


Crapware is unwanted software that, while not harmful, is annoying and perceived as useless. Crapware can appear as additional software when installing apps you actually want, especially in the case of offers from download portals that enrich the actual app with unnecessary system tools, toolbars and so on in their own installer programs. Pre-installed crapware that is of no use from the user's point of view and only eats up memory and computing capacity is called bloatware. Details are here: What is crap ware?


The term bloatware describes a subcategory of crapware. Bloatware is not dangerous per se, but it can collect data and pass it on to third parties. Bloatware is pre-installed software on new devices, such as system tools, app trials, games, or the like. It may have been installed by the device manufacturer, mobile operator or seller. Bloatware has a negative impact on the user experience due to the reduced storage space and processor power consumed. Details are here: What is bloatware?


Juice jacking is not malware per se, but a method used to deliver malicious software onto a smartphone or tablet. This attack method uses public USB charging cables or charging stations to (undetected) transfer programs to mobile devices or to steal data directly from them. by certain Adapter, which block data exchange but still allow the battery to be charged, the danger can be averted. Details are here: What is juice jacking?

Summary of malware and its dangers

Even if the generic term "virus" no longer fits the types of malware used today, computer viruses marked the beginning of digital threats for many users. Safe device use as a basic protection against malware is just as much a part of everyday use under macOS as it is under Windows and Linux. If you want to use anti-malware apps, we recommend you CleanMyMac X and Malwarebytes. To prove a high processor, graphics and RAM load, you can e.g. B. iStat Menus to use. Questionable network activities can be with Little Snitch (as well as in parts also with spybuster) check over. Do not click questionable links or attachments in weird emails!

My tips & tricks about technology & Apple

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

The page contains affiliate links / images:

2 Responses to "Malware encyclopedia: What is malware and what types are there?"

  1. Beatrice Willius

    For articles about malware etc, it would really help if you could describe what can actually happen on the Mac. In order to be allowed to make a kernel extension, you have to strip naked these days. A rootkit is therefore really unlikely. I see all apps in the activity viewer. Nothing can hide there.

    1. Johannes Domke

      Hello Beatrix,

      there was and is a wide variety of malware for the Mac. Depending on how far you look back or how long you want to wait for new warnings, all categories are actually ticked off:

      – Worms: e.g. B. XCSSET of 2020
      – Trojans: VPN Trojan in 2022, OSX.Zuru, WildPressure, XcodeSpy, ElectroRAT (all four in 2021), GravityRAT in 2020, Doc in 2017, etc.
      – Spyware / Infostealer: Realst and MacStealer from 2023, CloudMensis / BadRAT, CrateDepression and ChromeLoader in 2022, XcodeSpy in 2021, NetWire and Mokes in 2019
      – Ransomware: ThiefQuest in 2020, MacRansom in 2017, KeRanger in 2016, etc.
      – Rootkit: Keydnap in 2016
      - Backdoors: Alchemist and DazzleSpy in 2022, macOS.Macma in 2021, XcodeSpy in 2021, NetWire and Mokes in 2019
      – Cryptojacking: XMRig in 2023, WannaMine in 2017

      I'll make a note to go into more detail about Mac malware. Until then, you're welcome here at Macworld look in. They seem to have been updating their list from time to time for the past few years.

      Best regards

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.