Trojan
Malware disguised as legitimate software that tricks users into installing it.
RAT
Remote Access Trojan — gives the attacker full remote control of the infected machine.
C2 Server
Command-and-Control server — the attacker's infrastructure that issues instructions to infected machines.
Payload
The malicious component hidden inside an otherwise benign-looking file or application.

What makes a Trojan different?

The defining characteristic of a Trojan is deception. A victim installs what appears to be a cracked game, a free utility, a PDF attachment, or a browser extension — but the package contains a hidden malicious component that executes alongside (or instead of) the promised functionality.

Unlike a virus, a Trojan doesn't infect other files. Unlike a worm, it can't spread across networks by itself. Its power comes from persistence and access: once installed, a Trojan typically establishes a connection back to the attacker's C2 server and waits for instructions, often surviving reboots by adding itself to startup entries or scheduled tasks.

Trojans are a delivery mechanism, not always a final payload. Many Trojans are "droppers" — their sole job is to establish a foothold and then download additional malware (ransomware, spyware, additional RATs). The Trojan itself may be fairly benign until it receives commands.

Types of Trojans

Trojans are categorised by their primary purpose after infection:

  1. 1
    Remote Access Trojans (RATs) — The most powerful type. A RAT gives the attacker full interactive control: they can view the screen, activate the webcam and microphone, browse files, log keystrokes, execute commands, and exfiltrate data. Examples: DarkComet, NjRAT, Quasar RAT.
  2. 2
    Banking Trojans — Designed specifically to steal financial credentials. They hook into web browsers to intercept banking sessions, inject fake login forms, and capture one-time passwords (OTPs) even when the user enters them correctly. Examples: Zeus, Emotet (later evolved), TrickBot.
  3. 3
    Downloader/Dropper Trojans — Act as the first stage in a multi-stage attack. Their only job is to establish persistence and download additional malware once the initial infection is confirmed. Widely used by ransomware gangs as their entry point.
  4. 4
    Keyloggers — Record every keystroke the victim types — passwords, messages, credit card numbers — and periodically transmit the log to the attacker. May be included as a feature in RATs or deployed as standalone tools.
  5. 5
    Backdoor Trojans — Create a hidden persistent entry point into a system, bypassing normal authentication. Often installed by attackers after initial compromise to maintain access even if the original vulnerability is patched.

How Trojans reach victims

Since Trojans rely on the victim's action, attackers invest heavily in social engineering to make installation seem appealing or necessary:

  • Phishing emails: Malicious attachments disguised as invoices, shipping notifications, or HR documents. Macro-enabled Office files have been a favoured delivery vector for years.
  • Malvertising: Infected advertisements served through legitimate ad networks. Visiting a mainstream website is enough if a drive-by download exploit chain follows the ad click.
  • Cracked/pirated software: Torrent sites offering free versions of paid software, games, or activation key generators are a primary Trojan distribution channel.
  • Fake updates: Pop-ups claiming your Flash Player, browser, or antivirus is outdated and needs an immediate update — linking to the attacker's server.
  • Supply chain compromise: Legitimate software update servers are compromised, pushing a malicious update to thousands of users who trust the vendor (e.g., the SolarWinds SUNBURST attack).

Inside a Trojan infection

After installation, a typical Trojan follows a predictable pattern:

C2 beacon pattern: The Trojan runs as a background process and every 30–60 seconds sends an HTTPS "heartbeat" to a C2 server, requesting instructions. From the network's perspective, this looks like normal encrypted web traffic — making detection by firewalls difficult. The attacker's console shows the victim as "online" and issues commands in real time.

Modern RATs are sophisticated applications. Many include encrypted communications, anti-analysis features (detecting virtual machine environments), and modules that can be pushed on demand: a keylogger module, a password harvester, a ransomware component, or a botnet agent.

Detection and removal

Trojans are designed to avoid detection, but several approaches are effective:

  • Endpoint Detection and Response (EDR): Modern EDR tools monitor process behaviour — not just signatures — flagging anomalies like unusual outbound connections, process injection, or registry persistence keys added by unknown programs.
  • Network monitoring: Unusual outbound traffic patterns (regular beaconing, encrypted connections to unknown IPs, large data transfers) can indicate a Trojan even when the malware evades endpoint tools.
  • Application whitelisting: Only allowing pre-approved executables to run prevents most Trojans from executing in the first place.
  • User training: Since Trojans require user action, trained users who recognise phishing and resist installing unverified software are the most effective control.
Study Trojans and malware analysis in CEH v13

CEH v13's malware module covers Trojans, RATs, backdoors, keyloggers and detection techniques in a hands-on lab environment.

Explore CEH v13