Introduction
A trojan (or trojan horse) is malware that disguises itself as legitimate, desirable, or harmless software in order to trick users into installing and executing it. Named after the wooden horse of Greek mythology -- in which Greek soldiers hid inside a gift horse to infiltrate the city of Troy -- trojans rely on deception rather than self-replication. Unlike viruses and worms, trojans do not spread on their own. They depend on social engineering to convince the victim to execute them.
Trojans are the most common category of malware encountered in the wild. According to AV-TEST Institute data, trojans consistently account for over 50% of all new malware samples detected each year. Their versatility makes them the preferred delivery mechanism for nearly every type of malicious payload, from ransomware and spyware to cryptocurrency miners and botnet agents.
"The trojan is the Swiss Army knife of the malware world. It is not defined by what it does but by how it arrives -- through deception." -- Mikko Hypponen, Chief Research Officer at WithSecure (formerly F-Secure)
How Trojans Work
The trojan lifecycle follows a consistent pattern regardless of the specific payload:
- Delivery: The trojan arrives disguised as something the victim wants -- a software crack, a game, a document, a browser update, or an email attachment. The disguise is the critical element.
- Execution: The victim runs the file, believing it to be legitimate. On Windows, trojans often exploit the default behavior of hiding file extensions, so
invoice.pdf.exeappears asinvoice.pdf. - Installation: The trojan installs itself, often dropping additional payloads. It may display a decoy application (a real PDF viewer, a functioning game) to maintain the illusion while malicious activity occurs in the background.
- Persistence: The trojan establishes mechanisms to survive reboots -- registry Run keys, scheduled tasks, services, startup folder entries, or DLL search order hijacking.
- Payload Execution: The trojan executes its malicious purpose: opening a backdoor, stealing credentials, downloading additional malware, or providing remote access to the attacker.
- Communication: Most trojans establish a connection to a command-and-control (C2) server, allowing the attacker to issue commands, exfiltrate data, and update the malware.
Types of Trojans
Remote Access Trojans (RATs)
Remote Access Trojans give attackers full control over the victim's computer, similar to legitimate remote administration tools like TeamViewer or Remote Desktop, but without the victim's knowledge or consent. RATs typically provide a graphical interface to the attacker showing the victim's desktop, with capabilities including:
- Remote desktop viewing and control
- File browsing, upload, and download
- Keylogging and screen capture
- Webcam and microphone activation
- Password harvesting
- Command shell access
- Persistence management
| RAT | First Seen | Notable Features | Context |
|---|---|---|---|
| Back Orifice | 1998 | First widely known RAT; demonstrated Windows security weaknesses | Released by Cult of the Dead Cow at DEF CON |
| SubSeven | 1999 | User-friendly GUI; extremely popular in early 2000s | Script kiddie tool of the era |
| DarkComet | 2008 | Feature-rich, free; discontinued after use in Syrian surveillance | Used against Syrian dissidents (2011-2012) |
| njRAT | 2012 | Small footprint, .NET-based, plugin architecture | Widely used in Middle East cyber operations |
| Quasar RAT | 2014 | Open-source .NET RAT on GitHub (legitimate admin tool) | Adopted by multiple APT groups |
| AsyncRAT | 2019 | Open-source, encrypted communications, modular | One of the most prevalent RATs in 2023-2024 |
| ShadowPad | 2017 | Modular backdoor deployed via supply chain attacks | Chinese-linked APT groups |
Banking Trojans
Banking trojans are specifically designed to steal financial credentials and intercept banking transactions. They use specialized techniques including:
- Web Injection: Modifying banking website pages in real time (man-in-the-browser) to add extra fields requesting security questions, PINs, or one-time passwords
- Form Grabbing: Intercepting form data before it is encrypted by HTTPS, capturing credentials at the application level
- Session Hijacking: Stealing authenticated banking sessions to perform transactions while the victim is logged in
- Transaction Manipulation: Silently changing the destination account and amount of wire transfers while displaying the original transaction details to the victim
Banking trojans have caused billions of dollars in losses. The Zeus family alone was responsible for an estimated $100 million in losses from US bank accounts before its developer was identified.
Backdoors
A backdoor is a trojan that provides unauthorized remote access to a system, bypassing normal authentication. Unlike full-featured RATs, backdoors often provide only command-line access and are designed for stealth and persistence rather than feature richness. APT (Advanced Persistent Threat) groups frequently deploy custom backdoors that communicate over covert channels, use encryption, and blend with normal network traffic.
Downloaders and Droppers
Downloaders are trojans whose primary purpose is to download and install additional malware. They serve as the initial foothold, establishing persistence and then retrieving the main payload from a remote server. Droppers carry their payload embedded within themselves rather than downloading it. This two-stage approach allows attackers to update payloads without redistributing the initial trojan and helps evade detection by keeping the initial stage minimal.
Notable Trojans in History
| Trojan | Years Active | Type | Impact |
|---|---|---|---|
| Zeus (Zbot) | 2007-present (variants) | Banking trojan | $100M+ stolen; source code leaked in 2011, spawning dozens of variants |
| SpyEye | 2009-2013 | Banking trojan | Designed as Zeus competitor; merged with Zeus in 2010 |
| Emotet | 2014-2021, 2022-2023 | Loader/Downloader | Called "most dangerous malware" by Europol; primary delivery for other malware |
| TrickBot | 2016-2022 | Banking/Loader | Successor to Dyre; major ransomware delivery platform |
| Dridex | 2014-present | Banking trojan | Over $100M stolen; connected to Evil Corp cybercrime group |
| QakBot (Qbot) | 2007-present | Banking/Loader | Disrupted by FBI in 2023 (Operation Duck Hunt); re-emerged within months |
| Gh0st RAT | 2008-present | RAT | Open-source Chinese RAT; used in GhostNet cyber espionage (2009) |
| PlugX | 2012-present | RAT/Backdoor | Used by multiple Chinese APT groups; DLL side-loading technique |
| IcedID (BokBot) | 2017-present | Banking/Loader | Evolved from banking trojan to primary malware delivery platform |
Zeus and Emotet: Case Studies
Zeus (Zbot) emerged in 2007 and rapidly became the most prolific banking trojan in history. Its creator, Evgeniy Bogachev (known online as "slavik" and "lucky12345"), developed Zeus as a commercial crimeware kit sold to other criminals. Zeus used man-in-the-browser attacks to inject malicious content into banking websites, stealing credentials and manipulating transactions in real time.
In 2011, the Zeus source code was leaked publicly, spawning numerous variants including Citadel, ICE IX, and Gameover Zeus (a peer-to-peer variant). Bogachev was indicted by the FBI in 2014 with a $3 million bounty for his arrest -- one of the highest ever for a cybercriminal -- but remains at large, reportedly operating under the protection of Russian intelligence.
Emotet began as a banking trojan in 2014 but evolved into the most significant malware delivery platform in history. By 2018, Emotet had shifted its primary function from banking fraud to serving as an "initial access broker" -- infecting systems through sophisticated phishing campaigns and then selling access to other criminal groups who deployed ransomware (particularly Ryuk and Conti), banking trojans (TrickBot), or other payloads.
"Emotet was the most professional malware operation we have ever encountered. Its infrastructure, its evasion capabilities, and its volume were unmatched. Taking it down required unprecedented international law enforcement cooperation." -- Fernando Ruiz, Europol Head of Operations
Emotet's phishing emails were remarkably effective because they hijacked existing email threads -- replying to real conversations between the victim and their contacts with malicious attachments. In January 2021, a multinational law enforcement operation (Operation Ladybird) seized Emotet's infrastructure across hundreds of servers in multiple countries. The botnet was temporarily dismantled but re-emerged in late 2021 and continued operating through 2023.
Command and Control Infrastructure
Most trojans communicate with attacker-controlled command and control (C2) servers to receive instructions and exfiltrate data. C2 architecture has evolved significantly to evade detection and resist takedown:
| C2 Method | Description | Advantages | Disadvantages |
|---|---|---|---|
| Direct IP/Domain | Hardcoded server addresses in the malware | Simple to implement | Easy to block and take down |
| Domain Generation Algorithm (DGA) | Algorithmically generates hundreds of domains daily; attacker registers only a few | Resilient to domain takedowns | Detectable by ML-based DNS analysis |
| Fast Flux | Rapidly changing DNS records pointing to different IP addresses | Difficult to track or block | Requires distributed infrastructure |
| Peer-to-Peer | Infected machines communicate with each other without central servers | No single point of failure | Complex to implement; noisy on network |
| Social Media/Dead Drops | Commands embedded in social media posts, Pastebin, or cloud services | Blends with legitimate traffic | Subject to platform takedowns |
| DNS Tunneling | Data encoded in DNS queries and responses | Bypasses most firewalls | Low bandwidth; detectable by DNS monitoring |
| Encrypted Channels | HTTPS, TLS, or custom encryption for C2 traffic | Difficult to inspect content | Metadata (timing, volume) still visible |
Detection and Defense
Defending against trojans requires a multi-layered approach addressing both the social engineering delivery and the technical exploitation:
- Email Security: Deploy email filtering with attachment sandboxing, link rewriting, and DMARC/DKIM/SPF validation. Block macro-enabled Office documents by default using Group Policy.
- Endpoint Protection: Use modern EDR (Endpoint Detection and Response) solutions that detect behavioral patterns, not just file signatures. Monitor for process injection, credential dumping, and suspicious persistence mechanisms.
- Application Whitelisting: Restrict which applications can execute using Windows AppLocker, WDAC (Windows Defender Application Control), or similar tools. This prevents unknown executables from running regardless of social engineering.
- Network Monitoring: Monitor DNS queries for DGA patterns, unusual outbound connections, and C2 beaconing behavior. Deploy network detection tools that can identify known malware traffic patterns.
- User Training: Security awareness training remains critical because trojans fundamentally rely on human decision-making. Train users to verify software sources, recognize phishing, and report suspicious files.
- Least Privilege: Restrict user permissions so that even if a trojan executes, it cannot install system services, modify system files, or access sensitive resources without elevation.
- Software Controls: Disable Windows Script Host, restrict PowerShell execution policies, and prevent execution from user-writable directories (AppData, Temp, Downloads).
For more on the analysis techniques used to dissect trojans, see malware analysis. Understanding how trojans deliver ransomware payloads is covered in our ransomware article.
Summary
Trojans remain the dominant malware category because they exploit the most difficult vulnerability to patch: human trust. Key takeaways:
- Trojans rely on deception and social engineering, not technical self-replication
- RATs provide full remote control; banking trojans target financial credentials; backdoors enable persistent access
- Zeus and Emotet demonstrate how trojans evolve from single-purpose tools into multi-functional platforms
- Modern trojans use sophisticated C2 infrastructure including DGAs, P2P networks, and encrypted channels
- Defense requires combining technical controls (EDR, application whitelisting, email filtering) with user education
- The trojan ecosystem is increasingly professionalized, with specialized roles for development, distribution, and monetization
References
- Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., & Kruegel, C. (2009). "A View on Current Malware Behaviors." LEET'09: 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats.
- FBI. (2014). "GameOver Zeus Botnet Disrupted." Federal Bureau of Investigation Press Release.
- Europol. (2021). "World's Most Dangerous Malware EMOTET Disrupted Through Global Action." Europol Press Release.
- FBI. (2023). "FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown." FBI Press Release.
- Krebs, B. (2014). "Spam Nation: The Inside Story of Organized Cybercrime." Sourcebooks.
- AV-TEST Institute. (2024). "Malware Statistics." https://www.av-test.org/
- MITRE ATT&CK. "Trojan Techniques." https://attack.mitre.org/
- Mandiant. (2020). "Highly Evasive Attacker Leverages SolarWinds Supply Chain." FireEye/Mandiant Threat Intelligence.
- Stone-Gross, B., et al. (2009). "Your Botnet is My Botnet: Analysis of a Botnet Takeover." ACM CCS 2009.
- Proofpoint. (2024). "The Human Factor 2024." Proofpoint Annual Report.
Social Engineering Vectors
Trojans depend entirely on social engineering for initial execution. Common distribution methods include: