In July 2021, the REvil ransomware gang exploited a vulnerability in Kaseya's VSA software and dropped a trojan payload onto the systems of roughly 1,500 businesses worldwide. The attack didn't arrive as an obvious virus. It masqueraded as a legitimate software update — the textbook definition of trojan horse malware. If your organization runs any networked software (and it does), this is the threat you need to understand right now.
This post breaks down how trojan horse malware actually works, what real-world incidents look like, and the specific steps your team can take to avoid becoming the next headline. No theory. Just what I've seen in the field and what the data tells us.
How Trojan Horse Malware Actually Works
A trojan doesn't replicate itself like a worm. It doesn't attach to files like a traditional virus. Instead, it tricks you into installing it. The name comes from the ancient Greek story, and the metaphor is perfect: something that looks harmless on the outside but carries a destructive payload inside.
Here's what actually happens in most trojan infections I've investigated. A user receives an email with an attachment — maybe a PDF invoice, maybe a Word doc with macros. The file looks legitimate. They open it, a script executes silently, and the trojan installs itself. From that moment, the threat actor has a foothold.
Trojans come in several flavors, each designed for a different objective:
- Remote Access Trojans (RATs): Give attackers full control of the infected machine. They can watch your screen, log keystrokes, and exfiltrate files.
- Banking Trojans: Specifically designed for credential theft from financial applications. Emotet started as one before evolving into a full malware delivery platform.
- Downloader Trojans: Their only job is to download and install additional malware — often ransomware.
- Spy Trojans: Harvest data silently. Screenshots, clipboard contents, browser passwords — everything goes back to a command-and-control server.
The common thread? Social engineering. Every trojan horse malware attack starts with deception. The malware doesn't break in. Your users let it in.
The $4.24M Reality Check
IBM's 2021 Cost of a Data Breach Report pegged the average breach cost at $4.24 million — the highest in the report's 17-year history. Malware, including trojans, was a primary attack vector in a significant share of those breaches.
The 2021 Verizon Data Breach Investigations Report (DBIR) found that 85% of breaches involved a human element. Trojans exploit exactly that element. They don't need a zero-day exploit or a sophisticated vulnerability chain. They need one employee to click one file.
I've seen organizations with six-figure security budgets get compromised by a trojan hidden in a fake shipping notification. The technology was there. The awareness wasn't.
What Is Trojan Horse Malware? A Quick-Reference Answer
Trojan horse malware is malicious software disguised as legitimate software or files. Unlike viruses and worms, trojans do not self-replicate. They rely on social engineering to trick users into downloading and executing them. Once active, they can steal credentials, install ransomware, create backdoors for remote access, or exfiltrate sensitive data. Trojans are one of the most common malware types found in data breaches.
Real Incidents That Show the Damage
Emotet: The Trojan That Became an Empire
Emotet started in 2014 as a banking trojan. By 2020, it had evolved into what Europol called "the world's most dangerous malware." It spread primarily through phishing emails with malicious Word documents. Once inside a network, it delivered secondary payloads — TrickBot, Ryuk ransomware, and others.
In January 2021, a coordinated international law enforcement operation finally disrupted Emotet's infrastructure. But the damage was already done. CISA's advisory on Emotet described it as one of the most costly and destructive malware strains affecting state, local, and tribal governments, with individual incidents costing up to $1 million to remediate.
TrickBot: Emotet's Favorite Payload
TrickBot is another trojan horse malware strain that deserves your attention. Originally a banking trojan, it pivoted to become a delivery mechanism for ransomware gangs. It harvested credentials, moved laterally through networks, and opened the door for Ryuk and Conti ransomware deployments.
In October 2020, Microsoft led a legal and technical operation to disrupt TrickBot's infrastructure. The botnet adapted and rebuilt. As of mid-2021, TrickBot remains active, and the FBI's Internet Crime Complaint Center (IC3) continues to receive reports tied to its activity.
SolarWinds: A Trojan at the Supply Chain Level
The SolarWinds attack, disclosed in December 2020, was a masterclass in trojan methodology at scale. Threat actors compromised the build process for SolarWinds' Orion software and injected a trojanized update — SUNBURST. Roughly 18,000 organizations downloaded the malicious update. The attackers then selectively targeted about 100 organizations for deeper infiltration, including U.S. government agencies.
This wasn't a phishing email. This was a trusted software vendor pushing a trojanized update through its official channels. It redefined what supply chain risk looks like.
How Trojans Get Past Your Defenses
If you're running antivirus and thinking you're covered, I need to be direct: traditional signature-based antivirus catches known trojans. It misses new variants, polymorphic trojans, and fileless attacks. Here's how trojans routinely bypass defenses:
- Phishing emails with weaponized attachments: Still the number one delivery method. Macro-enabled documents, HTML smuggling, and password-protected ZIP files all evade basic email filters.
- Malicious downloads from compromised websites: Drive-by downloads don't even require a click in some cases.
- Trojanized software updates: SolarWinds proved this works at the highest level. Smaller-scale supply chain compromises happen constantly.
- Social media and messaging platforms: Attackers send links through LinkedIn messages, Discord servers, and even SMS (smishing) to deliver trojan payloads.
- USB drives: Old school, but I still see it in penetration testing engagements. Drop a few branded USB drives in a parking lot and someone will plug one in.
7 Practical Steps to Defend Against Trojan Horse Malware
1. Train Your People — Seriously
Security awareness isn't a checkbox exercise. Your employees are the primary target for trojan delivery. They need to recognize phishing emails, suspicious attachments, and social engineering tactics. Running regular phishing simulations shows you exactly where your human vulnerabilities are.
If you haven't started, our cybersecurity awareness training course covers the fundamentals your team needs. For organizations ready to go deeper, our phishing awareness training program delivers hands-on simulation exercises that build real muscle memory.
2. Deploy Endpoint Detection and Response (EDR)
Traditional antivirus isn't enough. EDR solutions monitor endpoint behavior in real time. They detect suspicious process execution, lateral movement, and command-and-control communications — the telltale signs of an active trojan. If your organization is still relying solely on signature-based detection, you're operating with a significant blind spot.
3. Implement Multi-Factor Authentication Everywhere
Even if a trojan captures credentials through keylogging, multi-factor authentication (MFA) adds a barrier the attacker has to overcome. It's not bulletproof — SIM swapping and MFA fatigue attacks exist — but it stops the majority of credential theft from becoming full account compromise.
4. Apply the Principle of Least Privilege
When a trojan compromises a user account, the damage it can do depends entirely on that account's permissions. A standard user account with no admin rights limits lateral movement. A zero trust architecture that verifies every access request — regardless of whether it originates inside the network — adds another critical layer.
5. Segment Your Network
Flat networks are a trojan's playground. Once inside, the malware can reach everything. Network segmentation limits blast radius. If your accounting department's systems are isolated from your engineering environment, a trojan that compromises one segment can't easily reach the other.
6. Patch Relentlessly
Trojans often exploit known vulnerabilities to escalate privileges or move laterally after initial infection. The Kaseya attack exploited a known vulnerability. Patch management isn't glamorous, but it eliminates the low-hanging fruit that threat actors depend on.
7. Disable Macros by Default
Microsoft Office macros remain one of the most common trojan delivery mechanisms. Group Policy lets you disable macros organization-wide and whitelist only the specific documents that require them. This single configuration change eliminates a huge attack surface.
Why Trojans Keep Working in 2021
I get asked this constantly: with all the security tools available, why do trojans still work? The answer is uncomfortable but simple. Trojans don't exploit software. They exploit trust.
A well-crafted phishing email with a trojanized attachment bypasses technical controls because a human makes the decision to open it. The threat actor doesn't need to beat your firewall. They need to beat your marketing coordinator's judgment at 4:47 PM on a Friday when they're rushing to finish a project.
That's why security awareness isn't optional. It's your most cost-effective defensive layer. Every dollar you spend on training your people to recognize social engineering pays for itself the first time someone hovers over a malicious link and decides not to click.
Detection: What a Trojan Infection Looks Like
If you suspect a trojan infection, look for these indicators:
- Unusual outbound network traffic: Trojans communicate with command-and-control servers. Unexpected connections to unfamiliar IP addresses — especially at odd hours — are a red flag.
- Slow system performance: A RAT or cryptominer trojan consumes resources. If a machine suddenly slows down without explanation, investigate.
- Unexpected software or processes: Check Task Manager or Activity Monitor for processes you don't recognize. Trojans often disguise themselves with legitimate-sounding names.
- Disabled security tools: Some trojans specifically target and disable antivirus or firewall software as their first action.
- Unusual account activity: Failed login attempts, password changes you didn't initiate, or access to files outside normal patterns — all potential trojan activity.
If you find evidence of a trojan, isolate the affected system immediately. Disconnect it from the network. Don't power it off — that can destroy forensic evidence in memory. Then call your incident response team.
The Bottom Line for Your Organization
Trojan horse malware isn't going away. It's getting more sophisticated, more targeted, and more damaging. The Kaseya attack, the SolarWinds breach, Emotet's years-long reign — these aren't anomalies. They're the standard playbook for modern threat actors.
Your defense starts with people. Technical controls matter, but they're your second line. Your first line is every employee who opens an email, downloads a file, or clicks a link. Invest in their ability to recognize deception.
Start building that human firewall today. Enroll your team in practical cybersecurity awareness training and run realistic phishing simulations that test your organization's readiness against exactly the kind of social engineering that delivers trojans. Because the next trojanized email is already in someone's inbox. The only question is whether they'll recognize it.