TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is a Trojan Horse? How Trojan Malware Works & Its Types

A Trojan horse hides malicious code inside something that looks legitimate, tricking you into installing it yourself. Here's how trojans work, the main types, and how to defend.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

A Trojan horse — often shortened to "trojan" — is a type of malware that disguises itself as legitimate, harmless, or desirable software to trick a user into installing and running it. The name comes from the ancient Greek story of the wooden horse: the threat is hidden inside something that looks like a gift. Unlike a virus or a worm, a trojan does not replicate itself — it relies entirely on deception to get onto a system. Once there, it can do almost anything the attacker wants.

In short: a trojan is the con artist of the malware world. It doesn't break down your door; it convinces you to open it and carry the threat inside yourself.

How a Trojan horse works

Every trojan relies on the same two-part trick: an attractive disguise and a hidden payload. The attack typically unfolds like this:

  1. The lure. The malware is packaged as something the victim wants or trusts — a free game, a cracked version of paid software, a software update, a document attachment, or an app from an unofficial store.
  2. The delivery. It reaches the victim through phishing emails, malicious ads (malvertising), fake download sites, or pirated software.
  3. The execution. The victim runs the file, expecting the advertised function. The legitimate-looking part may even work, masking the fact that malicious code is running silently in the background.
  4. The payload. The hidden code activates — opening a backdoor, stealing data, downloading more malware, or giving the attacker remote control.

Because the user voluntarily installs it, a trojan often sails past defenses that are watching for forced intrusion. This makes social engineering, not technical exploitation, the trojan's primary weapon.

Trojan vs virus vs worm

These three terms are frequently confused, but the difference is about how they spread:

  • Virus: attaches to a host file and spreads when that file is run and shared.
  • Worm: self-replicates across networks automatically, with no host file or human action needed.
  • Trojan: does not self-replicate at all. It spreads purely by tricking users into installing it.

So "trojan virus" is technically a misnomer — a trojan isn't a virus — but it's a common everyday phrase. The key takeaway: a trojan's power is deception, not propagation.

Common types of trojans

Trojans are usually classified by what their payload does:

  • Remote Access Trojan (RAT): gives the attacker full remote control of the device — watching the screen, logging keystrokes, accessing files, and even the webcam.
  • Backdoor trojan: opens a hidden entry point so attackers can return at will, often enrolling the device into a botnet.
  • Banking trojan: specifically targets financial credentials, intercepting online banking sessions to steal money. Families like Emotet and TrickBot began here.
  • Downloader / dropper: a lightweight first stage whose only job is to fetch and install heavier malware — frequently ransomware.
  • Infostealer trojan: harvests passwords, cookies, and crypto wallets — closely related to infostealer malware and spyware.
  • DDoS trojan: turns the device into a participant in distributed denial-of-service attacks.
  • Fake antivirus (scareware) trojan: pretends to find infections to extort payment for a bogus "fix."

Real-world examples

Many of the most damaging malware operations in history were, or began as, trojans. Emotet evolved from a banking trojan into a notorious malware-delivery service that loaded other gangs' payloads. TrickBot followed a similar path, often acting as the precursor to enterprise-wide ransomware. Remote access trojans are a staple of both cybercrime and advanced persistent threat espionage, because the deep, quiet control they provide is ideal for long-term intrusions. In almost every case the entry point was the same: a person tricked into opening something they believed was safe.

Signs of a trojan infection

  • Unexpected slowdowns, crashes, or settings changing on their own.
  • New programs, toolbars, or processes you didn't install.
  • Unusual outbound network activity or connections to unfamiliar servers — a classic indicator of compromise.
  • Security software being disabled or unable to update.
  • Pop-ups, redirected web searches, or accounts sending messages you didn't write.

Sophisticated trojans, however, are built to show no symptoms at all — which is why behavior-based detection matters more than waiting to notice something is wrong.

How to defend against and remove trojans

  • Only install trusted software. Avoid pirated programs, "cracks," and apps from unofficial stores — the classic trojan delivery vehicles.
  • Be wary of attachments and links. Most trojans arrive via phishing; verify before you open.
  • Keep software patched. Strong vulnerability management closes the secondary routes droppers exploit.
  • Use behavior-based EDR. Modern endpoint detection and response catches what a trojan does, even when the file looks clean to signature scanners.
  • Apply least privilege. Limiting user rights limits what a trojan's payload can reach.
  • To remove one, isolate the device from the network, run a reputable removal tool, and — for anything serious like a RAT or backdoor — assume credentials are compromised and consider rebuilding the system, since a single trojan may have installed several hidden components.

Do trojans affect phones?

Yes — mobile trojans are a significant and growing problem, especially on Android, where apps can be installed from outside the official store. They typically masquerade as legitimate apps — a game, a utility, a fake banking or delivery app — and once installed request excessive permissions to read messages, intercept one-time passcodes, or overlay fake login screens on top of real banking apps to steal credentials. Banking trojans are particularly common on mobile for exactly this reason. The defenses mirror those on desktop: install apps only from official stores, scrutinize the permissions an app requests, avoid sideloading from unknown sources, and keep the operating system updated. On any platform, the trojan's trick is the same — it depends on you choosing to install it.

Where threat intelligence fits

Trojan families evolve constantly, sharing infrastructure and reinventing their lures. Threat intelligence tracks active trojan campaigns, their delivery methods, and the indicators and TTPs they use — letting defenders block known droppers and recognize a banking trojan or RAT before it escalates into a full breach. Studying captured samples through malware analysis is how those indicators are produced in the first place.

The bottom line

A Trojan horse is malware that hides inside something that looks legitimate, relying on deception rather than self-replication to get onto your system. Once installed, its payload can range from a remote-access backdoor to a banking-credential thief to a ransomware dropper. Because trojans exploit human trust, defense combines cautious software habits, phishing awareness, patching, least privilege, and behavior-based detection. To keep up with the trojan families circulating right now, follow our live threat intelligence feed, which aggregates malware campaign reporting from dozens of authoritative sources.

Frequently asked questions

What is a Trojan horse in simple terms?

A Trojan horse is malware disguised as legitimate or desirable software to trick you into installing it yourself. Once running, it secretly carries out malicious actions like stealing data, opening a backdoor, or downloading more malware. Unlike viruses and worms, it does not self-replicate.

Is a Trojan a virus?

Not technically. A virus attaches to a host file and spreads when that file runs, while a trojan spreads purely by deceiving users into installing it and does not replicate. 'Trojan virus' is a common everyday phrase, but the two work differently.

What are the main types of trojans?

Common types include remote access trojans (RATs) for full control, backdoor trojans, banking trojans that steal financial credentials, downloaders/droppers that install other malware, infostealer trojans, DDoS trojans, and fake-antivirus scareware trojans.

How do you get rid of a Trojan?

Disconnect the device from the network, run a reputable malware-removal tool, and change passwords from a clean device. For serious trojans like RATs or backdoors, assume the system is fully compromised and consider rebuilding it, since one trojan may have installed several hidden components.

How do trojans spread?

Trojans spread through phishing emails and attachments, malicious ads, fake download sites, pirated or 'cracked' software, and apps from unofficial stores. They rely on tricking the user into running them rather than exploiting a system automatically.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is Malware? The Main Types ExplainedAttacksWhat Is a Rootkit? How Rootkits Work, Their Types & DetectionAttacksWhat Is Spyware? How It Works, Types & How to Remove ItAttacksWhat Is Infostealer Malware? How Info-Stealers Work & Spread