| 201. Malware |
Umbrella term for software intentionally designed to damage, spy on, extort, disrupt, or provide unauthorized access. |
Viruses, worms, trojans, ransomware, and spyware |
| 202. Virus |
Malware that attaches to a host file or program and spreads when that infected file is executed. |
ILOVEYOU spreading after users opened infected attachments |
| 203. Worm |
Self-replicating malware that spreads automatically across systems or networks without direct user action. |
WannaCry spreading through vulnerable SMB services using EternalBlue |
| 204. Trojan Horse |
Malware disguised as legitimate software to trick the user into installing or running it. |
Zeus banking trojan posing as harmless software to steal credentials |
| 205. Ransomware |
Malware that encrypts data or locks systems and then demands payment or some concession. |
REvil, LockBit, or WannaCry encrypting enterprise files |
| 206. Spyware |
Malware that secretly monitors users and collects sensitive information such as keystrokes, messages, or screenshots. |
Pegasus surveillance activity on high-value mobile targets |
| 207. Adware |
Software that pushes unwanted advertising and may also track browsing behavior or redirect traffic. |
Fireball hijacking browsers and injecting advertising content |
| 208. Rootkit |
Malware designed to hide malicious activity by manipulating the operating system or low-level components. |
Sony BMG rootkit concealing files and processes on Windows systems |
| 209. Keylogger |
Malware or hardware that records keystrokes to steal passwords, messages, and other sensitive input. |
Olympic Vision capturing typed credentials on compromised endpoints |
| 210. Botnet |
Group of compromised devices remotely controlled by an attacker for spam, DDoS, malware delivery, or fraud. |
Mirai botnet launching large-scale DDoS attacks against Dyn |
| 211. File Infector Virus |
Virus that attaches to executable files and spreads when those infected programs are launched |
CIH/Chernobyl infecting .exe files and activating when they ran |
| 212. Boot Sector Virus |
Virus that infects boot records so malicious code runs before the operating system starts. |
Stoned virus infecting the master boot record on legacy systems |
| 213. Macro Virus |
Infects Office documents using embedded Visual Basic macros |
Melissa virus spread via Word docs |
| 214. Multipartite Virus |
Virus able to infect both boot sectors and regular files, giving it multiple spread paths |
Invader-style malware infecting startup media and executables |
| 215. Polymorphic Virus |
Mutates its code to avoid signature-based detection |
Storm Worm — changed signature constantly |
| 216. Metamorphic Virus |
Virus that rewrites its own code on each generation so signatures are harder to match |
Zmist using code transformation to evade static signatures |
| 217. Resident Virus |
Virus that stays loaded in memory and keeps infecting files or processes after execution |
CMJ-style resident infection persisting in RAM after launch |
| 218. Non-Resident Virus |
Only active when infected file is opened |
Simple file infectors |
| 219. Direct Action Virus |
Virus that infects files immediately when triggered but does not remain resident in memory |
Vienna virus infecting additional executables only during runtime |
| 220. Overwrite Virus |
Overwrites file content making file unusable |
Trivial family virus |
| 221. Email Virus |
Virus or malware family that spreads mainly through email attachments, links, or macro documents |
ILOVEYOU or Melissa spreading through users' mailboxes |
| 222. Network Worm |
Self-replicating worm that spreads through network shares, vulnerable services, or open ports |
Blaster scanning for exposed Windows RPC services |
| 223. Internet Worm |
Scans internet for vulnerable systems to infect |
Morris Worm (1988) — first major internet worm |
| 224. Mass Mailing Worm |
Sends copies of itself to all contacts in address book |
Mydoom — fastest-spreading email worm |
| 225. SQL Worm |
Exploits SQL Server vulnerabilities to spread |
SQL Slammer (2003) — took down internet segments |
| 226. Banking Trojan |
Steals financial credentials and session data |
Emotet, TrickBot, Dridex |
| 227. RAT (Remote Access Trojan) |
Trojan that gives the attacker remote interactive control of the victim system |
DarkComet or njRAT for screen control, file access, and command execution |
| 228. Backdoor Trojan |
Creates hidden entry point for future attacker access |
Back Orifice, Gh0st RAT |
| 229. Fake Antivirus Trojan |
Trojan that pretends to be security software while actually installing malware or extorting the user. |
Fake pop-up claiming "Your computer is infected" to push scareware |
| 230. Downloader Trojan |
Downloads and installs other malware after initial infection |
Emotet (downloads TrickBot) |
| 231. Locker Ransomware |
Ransomware that locks the device or screen rather than encrypting all files. |
WinLocker blocking access to the desktop until payment is demanded |
| 232. Crypto Ransomware |
Encrypts files and demands crypto payment for key |
WannaCry, REvil, LockBit |
| 233. Double Extortion |
Encrypts AND threatens to leak data publicly |
Maze ransomware (2019) pioneered this |
| 234. Mobile Ransomware |
Ransomware aimed at phones or tablets, often locking the device or threatening to leak data |
LeakerLocker targeting Android users with extortion |
| 235. Ransomware as a Service |
Ransomware kit sold to affiliates via dark web |
REvil, DarkSide RaaS models |
| 236. Tracking Spyware |
Spyware that silently records location, messages, calls, or other personal activity |
Pegasus surveillance activity on high-value mobile targets |
| 237. Password Stealing Spyware |
Spyware focused on capturing credentials, browser data, or form submissions |
FormBook or Agent Tesla stealing saved passwords and typed logins |
| 238. Ad Injecting Spyware |
Spyware that modifies browser traffic or pages to insert ads and track user behavior |
Superfish injecting ads into web-browsing sessions |
| 239. Kernel Rootkit |
Rootkit operating in kernel space, making it highly privileged and difficult to detect or remove |
Necurs hiding malicious processes and drivers at the kernel level |
| 240. User Mode Rootkit |
Rootkit running in user space that hides files, processes, or registry entries without kernel-level control |
ZeroAccess-style hiding through user-mode hooks |
| 241. Hardware Keylogger |
Physical device placed between keyboard and computer to record keystrokes outside the operating system |
KeyGrabber USB collecting typed passwords from a workstation |
| 242. Software Keylogger |
Program that records keystrokes without hardware |
Actual Keylogger, Spyrix |
| 243. Botnet C2 |
Command and Control server that issues commands to bots |
Attacker sends "encrypt all files" to 10,000 bots |
| 244. Zombie Computer |
Compromised device remotely controlled as part of a botnet or coordinated attack |
Infected home PC used in spam or DDoS campaigns without the owner's knowledge |
| 245. Drive-by Download |
Malware downloaded automatically by visiting a webpage |
Malvertising on legitimate news sites |
| 246. Malicious Attachment |
File weaponized to deliver malware when the recipient opens, previews, or enables content |
ZIP, ISO, or macro-enabled document dropping a payload |
| 247. Malicious Link |
URL that leads to malware download or phishing page |
Shortened URL hiding malicious redirect |
| 248. Fake Software Update |
Malware disguised as a legitimate update prompt |
"Update your Flash Player" popups |
| 249. Watering Hole |
Attacker infects websites the target frequently visits |
APT groups infecting industry forums |
| 250. Supply Chain Attack |
Compromising software or hardware before it reaches victim |
SolarWinds ORION backdoor (2020) |