What Is a Trojan? Trojan Horse Malware Explained

A user double-clicks what looks like a Zoom installer. It installs nothing useful. Behind the splash screen, a second process drops a payload, writes a registry run key, and opens a channel to an IP in another country. The user wanted a video call. The attacker wanted a foothold, and the user just handed it over by running the file. That is a Trojan working exactly as designed.

A Trojan is malware that disguises itself as something legitimate so a person will run it. The name comes straight from the Greek story of the wooden horse wheeled into Troy: the danger is invited in because it looks like a gift. The defining trait is not what the code does after it runs, which can be almost anything, but how it gets there. A Trojan relies on the user to execute it. It does not break in. It is let in.

This article defines the Trojan precisely, separates it from the virus and the worm it gets confused with, walks the main types and real-world examples, traces how an infection actually unfolds, and lays out how a SOC detects and responds to one.

What is a Trojan horse?

A Trojan horse is malicious code packaged to look like legitimate, desirable, or harmless software so that a user installs and runs it themselves. The disguise is the whole technique. A Trojan might pose as a cracked game, a software update, a PDF invoice, a browser extension, a pirated application, or a tool that claims to clean your machine. Once the victim runs it, the hidden payload executes with that user's privileges and does whatever the attacker built it to do.

Two properties define a Trojan, and the second one is the one people miss:

• It masquerades as legitimate. The delivery depends on deception, not on a software flaw. The user is convinced the file is safe and useful, so they run it on purpose.
• It needs the user to run it. A Trojan does not self-replicate and does not self-execute. It sits there until a human launches it. That single requirement is what separates it from a virus and a worm.

After execution, a Trojan can do anything the logged-in user can do: read and steal files, log keystrokes, capture the screen, install more malware, add a persistence mechanism, or open a remote control session. The category name describes the entry method. The damage class depends on the payload bolted onto it.

Trojan vs virus vs worm

These three get used interchangeably, and they should not be. The line between them is propagation: how the malware spreads and whether it needs a person.

A virus infects existing files and replicates when those files run. A worm copies itself across machines with no user action at all. A Trojan does neither. It is a standalone program that depends entirely on convincing a person to launch it. That is why "Trojan virus" is a contradiction in terms, even though the phrase is everywhere. A Trojan is malware, but it is not a virus.

The distinction is operational, not academic. A worm is contained by stopping network propagation. A virus is contained by finding and cleaning infected host files. A Trojan is contained by figuring out what the user ran, what it dropped, and where it reached, because the Trojan itself is usually just stage one.

How a Trojan infection works

A Trojan attack runs as a sequence of stages. The disguise gets it executed, then the real payload takes over. Understanding the order is what lets a defender break the chain at the earliest point.

1. Lure and delivery. The attacker dresses the file as something the target wants or trusts: a fake installer for popular software, a phishing attachment, a malicious ad, a poisoned download from a search result, or a link in a message.
2. User execution. The victim runs the file, believing it is legitimate. This is the step that defines a Trojan, and it maps to MITRE ATT&CK technique T1204 (User Execution).
3. Payload deployment. The disguise often does show something convincing while the hidden component runs: it drops a second-stage binary, injects into a process, or executes script in memory.
4. Persistence. The malware sets itself to survive a reboot through a run key, scheduled task, service, or startup entry, so the foothold is not lost when the machine restarts.
5. Command and control. Many Trojans, especially backdoors and remote access Trojans, open a command and control channel out to the attacker's infrastructure to receive instructions and exfiltrate data.
6. Actions on objectives. With access established, the attacker pursues the goal: steal credentials, deploy ransomware, move laterally, build out a botnet node, or simply sit and watch.

The key insight for a defender is that the Trojan is rarely the end state. It is the door. The interesting telemetry is what happens after step two: the child process a document should never spawn, the new persistence entry, the unexpected outbound connection.

10 common types of Trojan malware

Trojans are categorized by the payload they carry, not by the disguise. The same fake installer could deliver any of these. The list below covers the types a SOC sees most, and the categories overlap in practice.

• Downloader / dropper Trojan. Carries or fetches additional malware. It is the loader stage that pulls in the real payload after the first run.
• Backdoor Trojan. Opens covert remote access so the attacker can return at will. A backdoor and remote-access Trojan are the workhorses of long-term intrusions.
• Remote access Trojan (RAT). Gives the attacker full interactive control of the host: file access, webcam and microphone, keystrokes, screen capture. njRAT and DarkComet are well-documented examples.
• Banking Trojan. Steals financial credentials by injecting into the browser or capturing form data on banking sites. Zeus and its descendants defined this class.
• Ransom Trojan. Delivers a ransomware payload that encrypts files and demands payment. The Trojan is the delivery vehicle for the extortion.
• DDoS Trojan. Enlists the infected host into a botnet to flood a target with traffic on command.
• Rootkit Trojan. Installs a rootkit to hide other malware and the attacker's activity deep in the operating system.
• Fake-AV (rogue security) Trojan. Poses as antivirus software, fakes infection alerts, and extracts payment or installs more malware.
• SMS Trojan (mobile). Targets phones, sending premium-rate texts or intercepting one-time passcodes to defeat two-factor authentication.
• Game-thief Trojan. Steals credentials and in-game assets from gaming accounts.

Most real intrusions combine several of these. A downloader pulls a backdoor; the backdoor enables a banking-credential grab or a ransomware stage. The disguise is the constant; the payloads stack.

Real-world Trojan examples

The taxonomy is easier to trust when it maps to named threats defenders have actually fought.

Emotet started in 2014 as a banking Trojan and evolved into one of the most prolific malware loaders ever, renting access on infected machines to other crews and pushing follow-on payloads. A coordinated international law-enforcement operation disrupted its infrastructure in January 2021, and it resurfaced later that year, a reminder that takedowns set attackers back rather than end them.

QakBot (also called Qbot) followed a similar arc: a banking Trojan that matured into a loader and initial-access broker feeding ransomware operations. The FBI and international partners dismantled its infrastructure in August 2023 in an operation named Duck Hunt.

Zeus (Zbot) is the banking Trojan that shaped the category. Its source code leaked around 2011, and the leak spawned a generation of variants, including Citadel and Gameover Zeus, that are still studied in malware analysis today.

These three trace the modern pattern: Trojans rarely stay single-purpose. They become modular platforms whose job is to get in, stay in, and deliver whatever pays.

How to prevent and respond to Trojan attacks

Because a Trojan depends on user execution, prevention starts with the user and the controls around what runs. Response starts with assuming the visible Trojan is only the first stage.

Prevention:

• Treat unsolicited attachments and links as hostile until proven otherwise, especially installers, invoices, and "updates" arriving by email or message.
• Download software only from the vendor or an official store. Most disguise-based delivery relies on fake installers and pirated builds.
• Keep operating systems and applications patched, so an exploit Trojan cannot lean on a known flaw.
• Enforce least privilege. A Trojan runs with the user's rights, so a non-admin account limits the blast radius.
• Run application allowlisting and endpoint detection and response (EDR) that scores behavior, not just file signatures.
• Require multi-factor authentication so that stolen credentials alone do not grant access, and prefer phishing-resistant factors over SMS, which SMS Trojans target.

Response:

• Isolate the host from the network to cut command and control and stop lateral movement.
• Identify the original file the user ran and every process and file it spawned. The dropped payload, not the lure, is the real scope.
• Hunt for persistence: new run keys, scheduled tasks, services, and startup items.
• Reset credentials used on the machine, because a backdoor or banking Trojan may have already captured them.
• Reimage rather than clean when a backdoor or rootkit was involved. You cannot trust a host an attacker had interactive control of.

The defender's rule with Trojans: the file that got flagged is the question, not the answer. Trace what it did before you call it closed.

Frequently Asked Questions

Is a Trojan a virus?

No. A Trojan is malware, but it is not a virus. A virus self-replicates by attaching to host files and spreads when those files run. A Trojan does not replicate at all; it relies on a user being tricked into running it. The phrase "Trojan virus" is common but technically wrong. A Trojan is its own malware category, defined by disguise and user execution.

What does a Trojan actually do once it runs?

Whatever its payload is built to do, with the privileges of the user who ran it. That can include stealing files and credentials, logging keystrokes, capturing the screen, installing more malware, opening a remote access channel, or deploying ransomware. The Trojan label describes how it got in, not what it does afterward, which is why two Trojans can behave completely differently.

How do I know if I have a Trojan?

Signs include unexpected processes, new startup or scheduled-task entries you did not create, unfamiliar outbound network connections, disabled security tools, and performance drops. The most reliable detection is behavioral: a trusted-looking program spawning a child process, writing persistence, and beaconing out is the pattern endpoint detection tools flag. A clean signature scan does not rule a Trojan out.

What is the difference between a Trojan and a worm?

Propagation. A worm spreads itself across networks automatically with no user action. A Trojan does not spread on its own at all; it needs a person to run it, and it stays on the machine it was executed on unless its payload does the moving. A worm's containment is about stopping network spread; a Trojan's is about tracing what the user ran and what it deployed.

Can a Trojan steal passwords?

Yes. Many Trojans are built specifically to steal credentials. Banking Trojans capture financial logins, remote access Trojans log keystrokes and grab stored passwords, and SMS Trojans on mobile intercept one-time passcodes to defeat two-factor authentication. After a suspected Trojan infection, rotating affected credentials is a standard response step.

How do I remove a Trojan?

Isolate the host, identify the original file and everything it dropped, remove persistence entries, and reset any credentials that touched the machine. When a backdoor, RAT, or rootkit was involved, reimage the system rather than attempting a clean, because you cannot fully trust a host an attacker had remote control over.

The bottom line

A Trojan is malware that gets in by looking like something you want, then runs because you ran it. It does not self-replicate like a virus and does not spread on its own like a worm. Its only constant is the disguise; the payload behind it can be a backdoor, a banking-credential thief, a ransomware dropper, or a botnet agent.

For a defender, that shifts the focus. The lure is the easy part to spot after the fact. The work is reconstructing what executed, what it dropped, where it reached out, and what it left behind to survive a reboot. Catch the deception early through user awareness and behavioral detection, and when one slips through, treat the flagged file as stage one of an intrusion, not the whole of it.