Hard2bit
← Back to glossary Threats and attacks

Trojan

What is a Trojan

A Trojan is a type of malware that disguises itself as legitimate software —an installer, an email attachment, a free tool— so that the victim runs it themselves. Unlike a virus or a worm, it does not replicate: its strength lies in deception. Once inside, it does whatever it was built for: stealing credentials, handing the attacker remote control of the machine, downloading further malware or draining bank accounts. Most arrive through phishing campaigns, cracked and pirated software, fake installers or malicious advertising, and as soon as they execute they typically connect to the attacker's C2 infrastructure to receive orders.

Why it matters

The Trojan is modern cybercrime's most common front door: most serious breaches —ransomware included— begin with an employee running something that looked legitimate. The business model makes it worse: Trojan operators act as initial access brokers and sell the access they gain to other groups, so an infection that looks minor today can become mass encryption or data exfiltration weeks later. Today's Trojans are also stealthy by design: they are signed with stolen certificates, inject into legitimate processes, establish persistence and talk to their C2 over HTTPS, blending into normal traffic. That means traditional signature-based antivirus is frequently late, and real detection depends on watching behaviour: processes doing things they should not, anomalous outbound connections, new start-up mechanisms. For a business, understanding what a Trojan is means understanding where almost all of its worst days begin — which is why controlling what software runs, phishing awareness training and continuous monitoring are not optional.

Key points

RAT (Remote Access Trojan): gives the attacker full remote control of the machine —screen, keyboard, files, webcam—. It is the variant of choice for espionage and for preparing lateral movement towards more valuable systems.

Banking Trojans (bankers): intercept online banking sessions, inject fake forms into the bank's website and manipulate transfers in real time. Families such as Zeus, Emotet and Grandoreiro defined the genre; their descendants remain active against European businesses.

Downloaders and droppers: their sole job is to open the door and fetch the real payload (ransomware, infostealers, post-exploitation tooling). Catching them early cuts the chain before the serious damage.

Infostealers: harvest browser-saved credentials, session cookies, crypto wallets and access tokens within minutes and upload them to the attacker. They are the source of much of the compromised credentials trade on criminal markets.

Typical entry routes: phishing attachments (invoices, CVs, legal notices), cracks and pirated software, fake installers pushed via SEO poisoning or adverts (malvertising) and fraudulent browser updates. Almost always, the user has to run something.

Detection and response: EDR with behavioural analysis, monitoring of outbound traffic towards C2 domains, review of persistence mechanisms and immediate isolation of the affected machine. After containment, assume credential theft and rotate everything.

Example: A fake installer ends in attempted bank fraud

A finance administrator needs to convert a PDF and downloads a "free converter" from the first sponsored search result. The installer works —it converts the PDF— but it also deploys a banking Trojan that registers itself as a scheduled task to survive reboots and opens an encrypted channel to the attacker's C2. For days, the malware stays silent: it harvests the passwords saved in the browser, works out that this machine is used for the company's online banking, and waits for the next session.

When the employee logs into the bank, the Trojan injects a fake form asking her to "revalidate" the signing token, and the attacker attempts to slip through a transfer. In this case the attempt fails because the SOC had already received an EDR alert about the anomalous scheduled task and the machine was isolated; the subsequent forensic analysis confirms which credentials were exfiltrated, everything is rotated, active sessions are revoked and the bank is notified. Without that early detection, the difference would have been tens of thousands of euros and a breach notification.

Common mistakes

  • Relying on signature-based antivirus alone. Modern Trojans are recompiled and obfuscated daily precisely so they match no signature; without behavioural detection (EDR) the blind spot lasts days or weeks.
  • Letting any user install software freely. Cracks, installers downloaded from adverts and 'free tools' are the classic entry route; application control and removing local admin rights cut off most infections.
  • Closing the incident when the antivirus 'cleans' the file. The detected executable is usually just the dropper: the persistence, the stolen credentials and the payloads downloaded afterwards may still be there. Investigate what happened after execution.
  • Reimaging the machine without prior analysis. Wiping removes the malware but destroys the evidence: you will not know which credentials were taken, whether there was lateral movement, or whether the attacker kept another foothold.
  • Ignoring outbound traffic. A Trojan needs to talk to its C2 to be useful; if you only watch what comes in and not what goes out, you lose the most reliable signal there is.

Related services

This concept may be related to services such as:

Frequently asked questions

What is the difference between a Trojan, a virus and a worm?

The distinction is how they spread. A virus infects other files and needs someone to run them; a worm replicates across the network on its own, with no human involvement; a Trojan does not replicate at all: it poses as legitimate software and waits for the victim to install it. In modern practice, almost all malware relevant to businesses arrives as a Trojan, and what it downloads next determines the damage.

Is antivirus enough to detect modern Trojans?

Not as the only layer. Operators test their samples against commercial antivirus engines before distributing them, so the first wave usually passes undetected. Antivirus remains useful against known malware, but reliable detection requires EDR with behavioural analysis, monitoring of outbound traffic and someone actually investigating the alerts: technology alone does not close the case.

What should I do if I suspect a machine has a Trojan?

Isolate it from the network immediately —without powering it off, to preserve memory—, notify your security team or incident response provider, and do not 'clean' anything yourself. Then identify what was executed, what persistence it left, which C2 it spoke to and which credentials it may have taken; those credentials get rotated and sessions revoked even after the machine is clean.

How do you prevent Trojans in a business?

By reducing opportunities for execution: users without local admin rights, application control that only allows approved software, email and web filtering, up-to-date patching, and targeted training against phishing and fake installers. And by assuming some infection will happen anyway: deployed EDR, continuous monitoring and a rehearsed response plan make the difference between an anecdote and a breach.