 Trojan horse is not a Malware type. Weird statement, since it is listed as a Malware type literally everywhere, but hear me out. Everyone is probably familiar with the definition. Trojan is a Malware which pretends to be a benign program and even has some useful functionality. While the Trojan horse used by the Greeks during the Trojan War carries soldiers in its belly, the Trojan Malware has a malicious payload hidden in the useful program. Now there are two problems with this definition. First, while everyone explains it this way, the term Trojan is actually not used in this sense. And secondly, it actually describes an infection vector instead of a Malware type. Now, let me explain in detail. In the past, that is like 30 years ago, viruses and worms made up the majority of Malware. And other Malware types were rather rare. Unlike today, worms were also categorized as a subtype of virus. More specifically, they were defined as network viruses by some researchers. So that is why antivirus products are still called antivirus. More appropriate name would be anti-Malware. And some of the newer vendors have used anti-Malware for their products to stand out, but there's no real difference between those products. So whether they call themselves antivirus or anti-Malware, they all protect from Malware. Viruses as well as worms spread on their own. So once a virus is in the wild, a Malware operator just has to wait for more machines to become infected. They don't have to do anything. In contrast, non-Viral Malware spreads or requires constant effort to infect new systems. For instance, sending infection carriers. Such a carrier could be the Trojan horse and its useful functionality provides a compelling reason for a user to run the Malware. In the past, the benign or useful portion of the Trojan horse was more a fixed trade that belonged to the Malware family. For instance, the AIDS ransomware, I think the first ransomware that existed, came alongside an AIDS prevention program which was distributed with a diskette via mail, not email mail. The AIDS prevention program and AIDS ransomware were tied together and didn't exist separately. At the time it made sense to have a Malware type called Trojan horse because it was fixed, you know. However, the threat landscape changed tremendously and nowadays the majority of Malware is non-Viral. Worms are commonly not seen as a subtype of virus anymore but rather a distinct separate type and non-Viral Malware quite often has some Worm component or functionality but it is rarely the main focus or the main way they are spread. So the main infection vectors are nowadays email attachments, malicious software downloads, infected websites and similar Malware downloaders or carriers. These malicious carriers may or may not involve a benign program as a lure but this has become detached from the Malware family itself. How so? Well, people use tools to bind or join Malware programs with benign programs and they may or may not use these tools at any given moment. So further more development and spreading of Malware has become a separate task. So these tasks are often done by different groups of people. So spreading Malware is a business, it's a service you can buy and because of that some Malware ends up being spread by a multitude of ways using different services by different threat actors. So unlike viruses and worms, the other infection vectors are not an integral part of the Malware code anymore and the non-Viral infection vectors are ever changing and therefore not a characteristic or fixed trait of a Malware family. Malware types like keylogger, virus, red, stealer attempt to classify Malware families for their fixed characteristics that means they describe behavior and features which are part of the main code and rarely change but that's not the case for Trojan. The Trojan horse is just one possible way a certain Malware spread and of course you can attempt to distinguish Malware samples based on infection vectors, you could do that but in that case Trojan as a type for Malware makes as much sense as email attachment for Malware type. So but we do not list email attachment or email links alongside keylogger, red and stealer, right? These are different categories. It's like comparing apples with Cushion sofas. I mean, you can put an apple on a Cushion sofa but comparing them for their nutritional values, tastes and sitting comfort is probably not useful. Why is the term Trojan still used so much though? I can only guess but I think one major reason is how prevalent the term in detection names is. Detection names are the names intervirus vendors use for Malware detection. So that's what you see on Virus Toto if you upload a Malware sample. Many of them have Trojan as default type if the Malware is unknown. That's likely a legacy of the threat landscape 30 years ago. Having detection names for unknown Malware is very common because many detection signatures nowadays are created by automation without knowledge of the family or the type. So you have a lot of unknown Malware that's called Trojan in detection names. And many people use detection names to determine the family and the type of the Malware to have a name for the Malware. So Trojan ends up to be commonly used in media and online descriptions of Malware. And that term when it is used from detection names is meant in the sense of non-viral Malware instead of the original definition which includes a benign program as a law for the malicious payload. So the Trojan as a matter of type has become part of learning material for certifications for IT security degrees. And it is so popular you see it everywhere and it's taught everywhere. But you will become confused at some point if you really dive into Malware analysis and you will also maybe note that most professional Malware analysts avoid the term because it's pretty fuzzy. And if they use it, they put an explanation to it. I hope this clears up some confusion you might have or prevents confusion you might have in the future. If you have any questions, please let me know in the comment section below and leave a like and see you next time.