Malware

Malware is a common cyber-attack and an umbrella term for various malicious programmes delivered and installed on end-user systems and servers. These attacks are designed to cause harm to a computer, server, or computer network, and are used by cybercriminals to obtain data for financial gain.

Artificial intelligence has catalysed a fundamental shift, with AI-powered malware leveraging machine learning to automate and amplify cyber-attacks. Traditional malware operates on fixed code and predictable patterns. AI-enhanced threats analyse defensive measures in real time and adjust their behaviour to evade detection.

Where conventional attacks repeat the same sequences until defenders catch them, AI-powered variants learn from each encounter. They can identify vulnerabilities faster, modify their tactics on the fly, and even prioritise high-value targets without human direction.

Most computer historians say that the first virus was created in 1970. The Creeper Worm self-replicated and copied itself across ARPANET (an early version of the internet). When activated, it displayed the message, “I’m the creeper, catch me if you can!”

The term “virus” wasn’t coined until 1986, when Ph.D. student Fred Cohen described a computer virus as a programme that can infect other programmes and create an evolved version of itself. Most early viruses destroyed files or infected boot sectors. Today’s malware is much more sinister and designed to steal data, spy on businesses, create a denial-of-service condition, or lock files to extort money from victims.

Types of malware programmes fall into commonly referred to categories such as:

• Ransomware: Encrypts files that cannot be recovered unless the victim pays a ransom. Ransomware attacks are all too common these days. These attacks have evolved to include double and triple extortion tactics, where attackers steal data before encryption.
• Adware: Display ads (sometimes malicious ads) to users as they work on their computers or browse the web.
• Fileless malware: Operates without traditional executable files, leveraging Microsoft Office macros, WMI (Windows Management Instrumentation) scripts, and other built-in system tools. This makes detection significantly harder for signature-based security.
• Viruses: A virus infects a computer and executes a variety of malicious payloads. It may corrupt files, destroy operating systems, delete or move files, or deliver a payload on a specific date.
• Worms: A worm is a self-replicating virus, but instead of affecting local files, a worm spreads to other systems and exhausts resources.
• Trojans: A Trojan is named after the Greek war strategy of using a Trojan horse to enter the city of Troy. The malware masquerades as a harmless programme, but it runs in the background stealing data, allowing remote control of the system, or waiting for a command from an attacker to deliver a payload.
• Bots: Infected computers can become a part of a botnet used to launch a distributed denial-of-service by sending extensive traffic to a specific host.
• Spyware: Malware that installs, collects data silently, and sends it to an attacker that continuously “spies” on users and their activities. Spyware aims to gather as much important data as possible before detection.
• Backdoors: Remote users can access a system and possibly move laterally. Trojans deliver backdoor payloads during installation.
• Banking Trojans: View or steal banking credentials to access accounts. Typically, they manipulate web browsers to trick users into entering their personal banking information.
• Keyloggers: Capture keystrokes as users type in URLs, credentials, and personal information and send it to an attacker.
• RAT: “Remote access tools” enable attackers to access and control the targeted device remotely.

Today’s advanced malware leverages various attack strategies simultaneously to maximise impact and evade detection. AI-powered variants take this further by adapting their behaviour in real time, learning from defensive responses and modifying their tactics without attacker intervention.

The use of AI in malware represents a paradigm shift in attack methodology. . AI-enhanced variants make rapid decisions and are far more difficult to pin down. They’re often characterised by:

• Evasion capabilities: Machine learning models enable malware to study detection patterns and route around them. Instead of relying on static signatures that antivirus software can flag, these threats analyse the defensive tools they encounter. They then modify their behaviour to slip past security controls that would catch conventional attacks.
• Automation at scale: AI can generate thousands of unique malware variants or phishing messages in minutes. Each iteration looks different enough to evade signature matching while maintaining the same malicious intent. The sheer volume makes it nearly impossible for security teams to catalogue and block every variant manually.
• Dynamic adaptability: These threats assess their environment and adjust tactics accordingly. If an AI-powered attack encounters strong email filtering, it might switch to a different delivery method. If network monitoring detects unusual traffic patterns, the malware can throttle its activity or change communication protocols to blend in.
• Precision targeting: AI analyses user behaviour, organisational structures, and defensive postures to craft personalised attacks. Rather than sending generic phishing emails to thousands of recipients, these systems identify high-value targets and tailor messages to their specific roles, communication patterns, and vulnerabilities. The attacks feel legitimate because they’re designed specifically for each victim.

Malware evasion techniques help attacks slip past security controls. These methods have become more sophisticated over time. Understanding them is critical for building effective defences.

• Code obfuscation: Encodes malicious code to disguise its true purpose from security scanners.
• Code compression: Wraps malware in standard compression formats (gzip, zip, rar) to hide code from antivirus and detection in email messages.
• Code encryption: Encrypts malicious payloads so signature-based tools cannot recognise them.
• Steganography: Embeds malicious code within image files, making detection nearly impossible without specialised analysis.
• Domain or IP range avoidance: Detects sandbox environments and security research infrastructure, then refuses to execute. This prevents analysts from studying the malware's behaviour.
• User action detection: Monitors human behaviours, such as mouse movements and clicks, to confirm the system is not a sandbox or automated analysis environment.
• Time delays: Remains inactive for hours or days before executing. In turn, malware can bypass time-limited sandbox analysis.
• Recent file detection: Checks for signs of genuine user activity across multiple applications before deploying.
• Device fingerprinting: Only executes on specific system configurations.

Attackers typically combine multiple evasion techniques to maximise their success rate. AI-powered malware takes this further by selecting and applying these methods dynamically based on what it encounters. Instead of using a fixed evasion strategy, AI-enhanced threats can test defences in real time and choose the techniques most likely to work in each specific environment.

Cyber crime operates as a business, and malware serves as its primary tool for generating revenue. Most attacks target financial gain through data theft, extortion, or resource exploitation. However, some malware campaigns focus purely on disruption and sabotage.

Attackers select specific malware types based on their objectives. Ransomware encrypts critical files to extort payments from businesses. Banking Trojans steal financial credentials for account takeovers. The Mirai botnet hijacks IoT devices to launch massive distributed denial-of-service attacks that can take down entire networks.

Common malware objectives include:

• Capturing personally identifiable information through phishing and social engineering.
• Stealing financial credentials like credit card numbers and banking access.
• Establishing remote access and control over compromised systems.
• Exploiting device resources for cryptocurrency mining or botnet participation.

The malware threat landscape continues to expand at an alarming pace. Cybersecurity systems now detect approximately 560,000 new malware threats every single day. Threat actors deployed an average of 200,454 unique malware scripts per day in 2024, roughly 1.5 new samples every minute.​

The financial impact has reached unprecedented levels. According to IBM’s Cost of a Data Breach Report 2025 (conducted with Ponemon Institute), the global average breach cost stands at $4.44 million. However, U.S. organisations face significantly higher costs at $10.22 million per breach, an all-time high driven by increased regulatory fines and detection costs.​

Cybersecurity Ventures projects global cyber crime costs will hit $10.5 trillion in 2025. This represents the greatest transfer of economic wealth in history. By 2031, that figure is expected to climb to $12.2 trillion annually.​

AI has fundamentally changed the attack landscape. Research findings from IBM’s report found that 16% of data breaches in 2025 involved attackers using AI. The most common applications are AI-generated phishing (37% of AI attacks) and deepfake impersonation attacks (35%). Organisations that experienced AI-related breaches overwhelmingly lacked proper controls, with 97% reporting inadequate AI access controls.​

The cybersecurity workforce crisis compounds these challenges. Despite growing to 5.5 million professionals worldwide, the workforce has essentially flatlined with only 0.1% growth since 2023. ISACA’s 2025 State of Cybersecurity research reveals that 55% of respondents believe their security teams are understaffed. Additionally, 65% of organisations report unfilled cybersecurity positions, with hiring timelines stretching three to six months even for entry-level roles.

These cyber threats are showing no signs of slowing down. As malware attacks continue to increase in volume and sophistication, reports by Cybersecurity Ventures estimate global cyber crime costs to grow by 15% year-over-year for the next five years, reaching upwards of $10.5 trillion in damages by 2025. Largely fuelled by ransomware-related attacks, these trends indicate the greatest transfer of wealth in history. Fuelling the malware momentum are alarming data and trends, including:

$5.13 million

The average cost of a ransomware attack in 2024 includes ransom payments, recovery costs, and damage to reputation and customer trust. [Source]

4.8 million

The global cybersecurity workforce gap represents unfilled positions needed to defend against malware and other threats as demand accelerates faster than talent availability. [Source]

97%

Share of organisations that experienced an AI-related security breach and lacked proper AI access controls, revealing a critical vulnerability as attackers increasingly target AI systems. [Source]

Examples of malware attacks date back several decades to the early days of the first personal computers. The first PC-based malware attack, “Brain”, was released in 1986 and infected the original 5.2" floppy disks of IBM Personal Computers. This early computer virus catapulted a deleterious trend in emerging malware attacks that would become increasingly sophisticated over time.

Other notable examples of historic malware attacks include:

• The 1999 Melissa virus was an email-based malware attack that used an infected Word attachment to deceive victims. Melissa was one of the earliest forms of malware to use social engineering and caused damages of $80 million.
• The ILOVEYOU worm of the early 2000s was another socially-engineered email attack disguised as a love letter. Infecting over 45 million people, the ILOVEYOU worm racked up $15 million in financial damages.
• The 2018 Emotet Trojan was deemed “the most threatening and devastating malware attack” by the US Department of Homeland Security, stealing sensitive financial information of governmental organisations through the spread of spam and phishing. Remediation of Emotet malware attacks cost roughly $1 million per incident across numerous cases.
• The WannaCry attacks of 2017 were one of the most sophisticated and costly of its time, duplicating itself without any suspicious file modification. By infecting over 230,000 computers in less than a day, WannaCry was responsible for $4 billion in ransomware losses.
• WormGPT and FraudGPT (2023-2025) represent a new generation of AI-powered cyber crime tools. These malicious chatbots bypass ethical programming to generate sophisticated phishing emails, create polymorphic malware, and automate business email compromise attacks. Sold on dark web forums for $200 to $1,700 annually, they lower the barrier to entry for complex cyber-attacks and enable less technically-abled criminals to launch professional-grade campaigns.
• BlackMatter ransomware (2024-2025) uses AI-driven encryption strategies and real-time analysis of victim defences to evade traditional endpoint detection systems. This evolution of the DarkSide strain adapts its behaviour based on the security tools it encounters, making it one of the most advanced ransomware threats.

A good antivirus stops malware from infecting a computer, so malware authors develop several strategies to bypass cybersecurity installed on the network. A user can become a victim of malware from numerous attack vectors.

How to be a victim of malware:

• You download an installer that installs a legitimate programme, but the installer also contains malware.
• You browse a website with a vulnerable browser (e.g., Internet Explorer 6), and the website contains a malicious installer.
• You open a phishing email and open a malicious script used to download and install malware.
• You download an installer from an unofficial vendor and install malware instead of a legitimate application.
• You click a web page ad that convinces you to download malware.

Even though malware runs silently in the background, the resources it uses, and its payload display are telltale signs your computer is infected. While some infection detection may require an experienced user, you can still recognise specific signs to investigate further.

Here are a few signs that you might have malware:

• Slow computer: Some malware, like cryptojackers, require extensive CPU and memory to execute. Your computer will run unusually slowly even after a reboot.
• Constant pop-ups: Adware embeds into the operating system, so your browser constantly displays ads. After you close an ad, another one pops up.
• Blue screen of death (BSOD): Windows crashes to a blue screen and displays an error, but this issue should rarely happen. Constant BSOD issues could mean the computer has malware.
• Excess disk storage or loss: Malware might delete data, releasing large amounts of storage space or adding several gigabytes of data onto storage.
• Unknown internet activity: Your router shows excessive activity even when you’re not using your internet connection.
• Change in browser settings: Malware will change browser home pages or search engine settings to redirect you to spam websites or sites containing malicious programmes.
• Antivirus is disabled: To deliver its payload, some malware disables antivirus that remains disabled even after being enabled.

Mobile devices have become prime targets for malware attacks. Android threats jumped 151% in the first half of 2025, with attackers exploiting third-party app stores and social engineering tactics to distribute malicious apps. While iPhones remain relatively secure due to Apple’s app vetting process, Android devices contract 98% of all mobile malware.

The risk extends beyond operating system vulnerabilities. Smartphones contain financial credentials, location data, and browsing history that make them lucrative targets. Their constant internet connectivity enables malware to operate silently in the background, uploading stolen data without the user’s knowledge. Research shows that 18.1% of analysed devices had mobile malware installed, highlighting how widespread the problem has become.

Defending against modern malware requires more than traditional antivirus software. Organisations need layered defences that combine behavioural analysis, anomaly detection, and threat intelligence to catch threats that signature-based tools miss.

Continuous monitoring and adaptive detection methods provide real-time visibility into potential threats. These systems establish baselines of normal behaviour and flag deviations that could indicate malware activity. AI and machine learning enable these tools to identify zero-day exploits and polymorphic malware that constantly change to evade detection.

Zero-trust principles limit malware spread by assuming no user or device is inherently trustworthy. This approach requires verification at every access point and restricts lateral movement across networks. Even if malware compromises one system, zero-trust architecture prevents it from spreading throughout the organisation.

Essential prevention measures include:

• Implementing multifactor authentication (MFA) with biometrics or authenticator apps to prevent unauthorised access.
• Enforcing strong password requirements with minimum length and complexity standards.
• Limiting administrator privileges and avoiding unnecessary elevated access for daily operations.
• Applying security patches promptly to close vulnerabilities that malware exploits.
• Deploying intrusion detection systems, firewalls, and encryption to protect data in transit.
• Filtering malicious emails and attachments before they reach user inboxes.

Providing security awareness training that helps employees recognise AI-generated phishing attempts and social engineering tactics. As attackers use AI to create more convincing lures, training must evolve to address these sophisticated techniques.

Organisations should also implement extended detection and response (XDR) solutions that correlate data across endpoints, networks, and cloud environments. This holistic view improves threat detection and enables faster response to incidents.

Malware removal in enterprise environments requires a coordinated response that goes beyond traditional antivirus scans. Modern threats like ransomware and fileless malware demand endpoint detection and response (EDR) tools that can identify, contain, and remediate infections across your network. The goal is not just removal but ensuring complete eradication to prevent reinfection.

The moment malware appears on your system, speed matters. Pull the infected device offline right away—unplug the ethernet cable or disable Wi-Fi to stop the threat from jumping to other machines. Before wiping anything clean, create a forensic copy of the infected system. Your security team will need this evidence to understand what happened and prevent future attacks.

Modern malware hides better than ever before. That’s why traditional antivirus isn’t enough anymore. Today’s endpoint detection and response (EDR) tools watch how programmes behave, not just their signatures. They catch suspicious activity like unusual file access patterns or registry changes that signal trouble.

Smart security teams also tap into threat intelligence networks. These real-time feeds alert you to the latest attack methods circulating in the wild, helping you spot dangers your standard tools might miss.

Once you’ve identified the infection, it’s time for thorough cleanup. Most EDR platforms include built-in removal tools that can automatically neutralise common threats. But some malware digs deep, creating multiple backdoors and persistence mechanisms.

For stubborn infections, you might need to restore the entire system from a clean backup. Here’s the critical part: verify your backups are malware-free first. Nothing’s worse than reinfecting a clean system with contaminated backup files.

Removing malware is only half the battle. Sophisticated attackers often leave behind hidden components designed to reactivate later. After cleanup, maintain heightened monitoring on both the affected system and neighbouring devices for at least 30 days.

Run comprehensive security audits to uncover how attackers got in—was it a phishing email, an unpatched vulnerability, or compromised credentials? Close these security gaps immediately. Review system logs, network traffic patterns, and user activities to confirm the threat actor no longer has any foothold in your environment.

Remember: effective malware response combines rapid action with methodical investigation. Each incident teaches valuable lessons that strengthen your defences against the next attack.

Document the incident thoroughly as part of your incident response plan. Conduct a lessons-learned session to identify weaknesses in your defences. Update security policies, patch vulnerabilities that were exploited, and enhance monitoring for similar attack patterns in the future.

Complete removal requires vigilance beyond the initial cleanup. Continuous monitoring through security information and event management (SIEM) platforms and regular threat hunting exercises help ensure malware has not established persistence mechanisms that could trigger reinfection.

Malware has been seen attacking organisations in nearly every vertical. While some criminals use malware to attack an organisation directly, we’ve seen malware attacks attempt to sidestep the normal delivery via email. Malware attacks can cause significant damage to organisations and their employees.

When malware strikes your organisation, the damage extends far beyond frozen computers and encrypted files. These attacks create ripple effects that impact your entire business:

• Exfiltrate sensitive data, such as email addresses, passwords, and other business assets.
• Lock up organisations’ networks and PCs, making them inoperable.
• Cause operational issues like disrupted productivity and catastrophic data loss.
• Replicate and spread throughout devices connected within the network.
• Encrypt information that can be opened by a key known only by the attacker (ransomware).
• Compromise the confidentiality, integrity, or availability of the organisation’s data and assets.

Organisations that regularly handle external files face heightened security risks. Think about how many documents flow through your business daily—contracts, proposals, invoices, and reports from clients, vendors, and partners. Each file exchange creates a potential entry point for malware.

Cyber criminals have identified a critical vulnerability in corporate defences: the hiring process. Every company needs talent, which means HR teams must open resumes from unknown sources. Attackers exploit this necessity by weaponizing job applications.

Here’s how they bypass your defences: Instead of emailing malicious files that might trigger security alerts, criminals upload infected resumes directly to job boards and recruiting platforms. When HR staff download these files from trusted recruiting sites, the malware slips past email security filters that would normally catch suspicious attachments. It’s a clever workaround that turns routine hiring activities into security risks.

Proofpoint takes a layered approach to malware defence. Our solutions identify and block threats across email, cloud applications, and web channels before they reach your users. We combine behavioural analysis, threat intelligence, and advanced detection to stop both traditional and AI-powered attacks.

The threats evolve, and so do our defences. Our platform adapts to emerging attack patterns while giving your security teams visibility into what matters most. From initial detection to incident response, Proofpoint helps you stay ahead of malware at every stage. Get in touch to learn more.