What is a Trojan Horse?

Kurt Baker - June 17, 2022

What is a Trojan Horse? (Trojan Malware)

A Trojan Horse (Trojan) is a type of malware that disguises itself as legitimate code or software. Once inside the network, attackers are able to carry out any action that a legitimate user could perform, such as exporting files, modifying data, deleting files or otherwise altering the contents of the device. Trojans may be packaged in downloads for games, tools, apps or even software patches. Many Trojan attacks also leverage social engineering tactics, as well as spoofing and phishing, to prompt the desired action in the user.

Trojan: Virus or Malware?

A Trojan is sometimes called a Trojan virus or Trojan horse virus, but those terms are technically incorrect. Unlike a virus or worm, Trojan malware cannot replicate itself or self-execute. It requires specific and deliberate action from the user.

Trojans are malware, and like most forms of malware, Trojans are designed to damage files, redirect internet traffic, monitor the user’s activity, steal sensitive data or set up backdoor access points to the system. Trojans may delete, block, modify, leak or copy data, which can then be sold back to the user for ransom or on the dark web.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

10 Types of Trojan Malware

Trojans are a very common and versatile attack vehicle for cybercriminals. Here we explore 10 examples of Trojans and how they work:

  1. Exploit Trojan: As the name implies, these Trojans identify and exploit vulnerabilities within software applications in order to gain access to the system.
  2. Downloader Trojan: This type of malware typically targets infected devices and installs a new version of a malicious program onto the device.
  3. Ransom Trojan: Like general ransomware, this Trojan malware extorts users in order to restore an infected device and its contents.
  4. Backdoor Trojan: The attacker uses the malware to set up access points to the network.
  5. Distributed Denial of Service (DDoS) attack Trojan: Backdoor Trojans can be deployed to multiple devices in order to create a botnet, or zombie network, that can then be used to carry out a DDoS attack. In this type of attack, infected devices can access wireless routers, which can then be used to redirect traffic or flood a network.
  6. Fake AV Trojan: Disguised as antivirus software, this Trojan is actually ransomware that requires users to pay fees to detect or remove threats. Like the software itself, the issues this program claims to have found are usually fake.
  7. Rootkit Trojan: This program attempts to hide or obscure an object on the infected computer or device in order to extend the amount of time the program can run undetected on an infected system.
  8. SMS Trojan: A mobile device attack, this Trojan malware can send and intercept text messages. It can also be used to generate revenue by sending SMS messages to premium-rate numbers.
  9. Banking Trojan or Trojan Banker: This type of Trojan specifically targets financial accounts. It is designed to steal data related to bank accounts, credit or debit cards or other electronic payment platforms.
  10. Trojan GameThief: This program specifically targets online gamers and attempts to access their gaming account credentials.

Examples of Trojan Malware

Malware programs like Trojans are always evolving, and one way to prevent breaches or minimize damage is to take a comprehensive look at past Trojan Attacks. Here are a few examples:

  • NIGHT SPIDER’s Zloader: Zloader was masquerading as legitimate programs such as Zoom, Atera, NetSupport, Brave Browser, JavaPlugin and TeamViewer installers, but the programs were also packaged with malicious scripts and payloads to perform automated reconnaissance and download the trojan. The threat actor’s attempts to avoid detection caught the attention of threat hunters at CrowdStrike who were able to quickly piece together the evidence of a campaign in progress.
  • QakBot: QakBot is an eCrime banking trojan that can spread laterally throughout a network utilizing a worm-like functionality through brute-forcing network shares and Active Directory user group accounts, or via server message block (SMB) exploitation. Despite QakBot’s anti-analysis and evasive capabilities, the CrowdStrike Falcon® platform prevents this malware from completing its execution chain when it detects the VBScript execution.
  • Andromeda: Andromeda is a modular trojan that was used primarily as a downloader to deliver additional malware payloads including banking Trojans. It is often bundled and sold with plugins that extend its functionality, including a rootkit, HTML formgrabber, keylogger and a SOCKS proxy. CrowdStrike used PowerShell via the Real Time Response platform to remove the malware without having to escalate and have the drive formatted — all while not impacting the user’s operations at any point.

Expert Tip

Fun Fact: Trojans derive their name from the Greek mythical tale, Ulysses, wherein Greek warriors hid inside a hollow wooden horse. Their opponent, the Trojans, thought the horse was a blessing from the gods and brought it inside the city walls, unwittingly unleashing an attack. Much like Trojan horse in the epic, digital adversaries that deploy Trojans often rely on social engineering and trickery to deceive users into downloading and running malicious programs.

How do Trojans Infect Devices?

Trojans are one of the most common threats on the internet, affecting businesses and individuals alike. While many attacks focused on Windows or PC users in the past, a surge in Mac users has increased macOS attacks, making Apple loyalists susceptible to this security risk. In addition, mobile devices, such as phones and tablets, are also vulnerable to Trojans.

Some of the most common ways for devices to become infected with Trojans can be linked to user behavior, such as:

  • Downloading pirated media, including music, video games, movies, books, software or paid content
  • Downloading any unsolicited material, such as attachments, photos or documents, even from familiar sources
  • Accepting or allowing a pop-up notification without reading the message or understanding the content
  • Failing to read the user agreement when downloading legitimate applications or software
  • Failing to stay current with updates and patches for browsers, the OS, applications and software

Mobile Trojans

While most people associate Trojan attacks with desktop or laptop computers, they can be used to target mobile devices, such as smartphones, tablets or any other device that connects to the internet.

Like a traditional malware attack, mobile Trojan attacks are disguised as legitimate programs, usually as an app or other commonly downloaded item. Many of these files originate from unofficial, pirated app marketplaces and are designed to steal data and files from the device.

How to Prevent Trojan Horse Attacks

For everyday users, the best way to protect against Trojan attacks is by practicing responsible online behavior, as well as implementing some basic preventive measures.

Best practices for responsible online behavior include:

  • Never click unsolicited links or download unexpected attachments.
  • Use strong, unique passwords for all online accounts, as well as devices.
  • Only access URLs that begin with HTTPS.
  • Log into your account through a new browser tab or official app — not a link from an email or text.
  • Use a password manager, which will automatically enter a saved password into a recognized site (but not a spoofed site).
  • Use a spam filter to prevent a majority of spoofed emails from reaching your inbox.
  • Enable two-way authentication whenever possible, which makes it far more difficult for attackers to exploit.
  • Ensure updates for software programs and the OS are completed immediately.
  • Back up files regularly to help restore the computer in the event of an attack.

In addition, consumers should take steps to protect their devices and prevent them from all types of malware attacks. This means investing in cybersecurity software, which can detect many threats or block them from infecting the device.

How to Respond to a Trojan Malware Attack

The growing sophistication of digital adversaries makes it increasingly difficult for users to properly resolve Trojan attacks on their own. Ideally, if a person suspects that their system has been infected by a Trojan or other type of malware attack, they should contact a reputable cybersecurity professional immediately to help rectify the situation and put proper measures in place to prevent similar attacks from occurring in the future. At a minimum, consumers should download an antivirus program and malware removal service from a reputable provider.

For enterprise clients, it is important to work with a trusted cybersecurity partner to assess the nature of the attack and its scope. As discussed above, many traditional antivirus and malware removal programs will not adequately remediate existing threats or prevent future events.

CrowdStrike Solution to Trojan Malware

For enterprise organizations, protection against Trojans is especially important as a breach on one computer can lead to the entire network being compromised. Organizations must adopt an integrated combination of methods to prevent and detect all types of malware, including spyware. These methods include machine learning and exploit blocking. Here we review these capabilities within the context of CrowdStrike Falcon®, the market’s leading cloud-native security platform.

  • Machine Learning: Falcon uses machine learning to block malware without using signatures. Instead, it relies on mathematical algorithms to analyze files and can protect the host even when it is not connected to the internet.
  • Exploit Blocking: Malware does not always come in the form of a file that can be analyzed by machine learning. Some types of malware may be deployed directly into memory through the use of exploit kits. To defend against these, Falcon provides an exploit blocking function that adds another layer of protection.

CrowdStrike Falcon® combines these methods with innovative technologies that run in the cloud for faster, more up-to-the-minute defenses. To learn more, contact our organization to schedule a demo or enroll in a trial.


Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.