Safeguard
Security Concepts

Malware Types: A Practitioner's Taxonomy

A reference list of all malware types by how they spread and what they do — worms, trojans, ransomware, rootkits, and the rest — because knowing the category tells you what defense actually stops it.

Safeguard Research Team
Research
6 min read

Asking for all malware types in one list is a bit like asking for all vehicle types — the useful answer isn't just the names, it's what distinguishes them functionally, because that's what determines which defense actually stops each one. This is a practitioner-oriented taxonomy: organized around how malware spreads and what it does once it's running, since those two axes are what matter for building a defense.

How is malware classified — by spread or by payload?

Most confusion around malware terminology comes from mixing two different classification axes. Spread mechanism describes how malware gets from one system to another (a virus needs a host file and user action; a worm spreads itself over a network with no user action required). Payload describes what the malware does once it's running (encrypt files for ransom, steal credentials, provide remote access). A single piece of malware often combines one spread mechanism with one or more payloads — which is exactly why "ransomware that spreads like a worm" is a coherent and historically real category, not a contradiction.

What are the main malware types by spread mechanism?

  • Virus — attaches itself to a legitimate file or program and requires that file to be executed (and usually requires some user action) to spread further. Classic viruses have declined relative to other categories as software distribution moved away from shared executable files.
  • Worm — self-replicating and self-propagating; it spreads across a network on its own, without needing a user to open a file or click anything, typically by exploiting a vulnerability in networked software. Worms can cause damage purely through propagation (consuming bandwidth and resources) independent of any additional payload.
  • Trojan — disguises itself as, or is bundled with, legitimate software to trick a user into installing it. Unlike viruses and worms, trojans don't self-replicate; they rely entirely on deception to get onto a system in the first place.

What are the main malware types by payload or function?

  • Ransomware — encrypts (or threatens to leak) a victim's files or systems and demands payment for the decryption key or to prevent disclosure. Modern ransomware operations frequently combine encryption with data theft ("double extortion"), threatening publication even if a victim has backups.
  • Spyware — covertly monitors a user's activity (keystrokes, browsing history, credentials) and exfiltrates the data to an attacker.
  • Adware — displays unwanted advertising, sometimes bundled with legitimate software installers; generally lower-severity but often bundled alongside more dangerous payloads or used to monetize compromised traffic.
  • Rootkit — designed to gain and maintain privileged (often kernel-level) access to a system while actively hiding its own presence from the operating system and security tools, making detection and removal significantly harder than for user-mode malware.
  • Botnet malware / bots — compromises a system and enrolls it into a network of attacker-controlled machines, typically used for distributed denial-of-service attacks, spam distribution, or credential-stuffing at scale.
  • Backdoor / remote access trojan (RAT) — provides an attacker with ongoing, often stealthy, remote control over a compromised system, frequently used to maintain long-term access for later stages of an attack.
  • Keylogger — a narrower form of spyware focused specifically on capturing keystrokes, commonly used to steal credentials and payment information.
  • Fileless malware — operates primarily in memory or through legitimate system tools (e.g., PowerShell, WMI) rather than dropping a traditional executable file to disk, which makes it harder for signature-based antivirus to detect.
  • Cryptojacking malware — covertly uses a victim's computing resources to mine cryptocurrency for the attacker, typically noticed through unexplained performance degradation rather than direct data loss.

Where does supply chain malware fit in this taxonomy?

Supply chain malware isn't a separate payload category — it's a distribution vector, and it can carry any of the payloads above. A compromised npm package, a malicious PyPI upload, or a backdoored Docker base image can deliver spyware, a backdoor, cryptojacking code, or a downloader that pulls in ransomware later, distinguished from a traditional trojan mainly by where the deception happens: instead of tricking an end user into installing something, it tricks a developer's build process into pulling in a dependency that looks legitimate. This is precisely the risk category SCA scanning exists to catch — flagging known-malicious packages and suspicious dependency behavior before they end up baked into a shipped artifact, and it's a fast-growing share of real-world incidents relative to classic end-user-targeted malware.

How does understanding malware type change incident response?

The category tells you where to look and what containment looks like: a worm means isolate network segments immediately, because it will keep spreading on its own; a rootkit means you likely can't trust anything the compromised OS reports about itself, and a clean reimage is usually safer than in-place removal; a RAT or backdoor means assume the attacker had ongoing access and audit everything reachable from the compromised host during that window, not just the malware itself. Naming the malware family correctly early in an incident isn't academic — it directly shapes the response plan.

FAQ

What's the difference between a virus and a worm?

A virus needs a host file and typically user action to spread; a worm self-propagates across a network on its own, usually by exploiting a vulnerability, with no user action required.

Is ransomware a type of trojan?

Not necessarily — ransomware describes the payload (encrypting files for ransom), which can be delivered via a trojan, a worm, or direct network exploitation. The payload and the delivery mechanism are separate classifications.

What makes fileless malware harder to detect than traditional malware?

It avoids writing a traditional executable to disk, instead operating in memory or through legitimate system tools, which means signature-based detection looking for known malicious files often misses it entirely.

Can a piece of malware belong to more than one category?

Yes, routinely — a single infection might use trojan-style deception to gain initial access, worm-like behavior to spread internally, and a ransomware payload to monetize the compromise, all in one campaign.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.