Malware (short for 'malicious software') is any software designed to damage, disrupt, steal from, or gain unauthorised access to computer systems, networks, or data. Malware comes in many forms — viruses, ransomware, trojans, spyware, worms, rootkits, fileless malware, and increasingly AI-assisted variants. Modern malware is no longer the realm of teenage hackers; it is industrialised, sold as a service (Malware-as-a-Service), and operated by organised criminal groups, nation-states, and hacktivists. Verizon DBIR 2025 reports malware is involved in approximately 50% of breaches, with ransomware as the dominant business-impact category.

Ten major categories: (1) **Virus** — self-replicating code attached to host files, requires user action to spread, (2) **Worm** — self-propagating across networks without user action (WannaCry, Conficker), (3) **Trojan** — disguised as legitimate software, opens backdoor or steals data once executed, (4) **Ransomware** — encrypts data and demands ransom (LockBit, Cl0p, Akira), (5) **Spyware** — covert data collection (keyloggers, screen recorders, browser hijackers), (6) **Adware** — unwanted ads, often bundled with free software, (7) **Rootkit** — hides at OS level, very hard to detect (kernel rootkits, UEFI rootkits), (8) **Bot/botnet client** — turns infected machine into part of distributed attack network (Emotet, TrickBot, IcedID), (9) **Fileless malware** — operates only in memory using legitimate tools (PowerShell, WMI), evades file-scanning AV, (10) **Wiper** — destructive, no recovery option (NotPetya, HermeticWiper).

Six main vectors: (1) **Phishing email** — malicious attachment (Office macros, ISO/LNK files, ZIP) or link to drive-by download — still the leading vector in 2026, (2) **Drive-by downloads** — compromised websites exploiting browser vulnerabilities, (3) **Malicious advertising (malvertising)** — ads on legitimate sites redirecting to exploit kits, (4) **Software supply chain compromise** — Trojanised installers, poisoned updates (SolarWinds, 3CX, MOVEit), (5) **Removable media** — USB drives, external HDDs, especially in OT/industrial environments, (6) **Vulnerable internet-facing services** — exposed RDP, unpatched VPN gateways (Fortinet, Ivanti), web application vulnerabilities. AI-assisted social engineering has substantially raised the success rate of phishing-based delivery in 2024-2026.

Five high-impact incidents: (1) **Stuxnet (2010)** — first known nation-state cyberweapon, sabotaged Iranian uranium centrifuges, (2) **WannaCry (2017)** — ransomware worm exploiting EternalBlue, hit UK NHS, $4B+ damages, (3) **NotPetya (2017)** — destructive wiper masquerading as ransomware, $10B damages, the most expensive cyberattack in history, (4) **SolarWinds Sunburst (2020)** — supply chain attack via Trojanised updates, compromised US government and Fortune 500, (5) **MOVEit / Cl0p mass exploitation (2023)** — 2700+ organisations compromised through one vulnerability in MOVEit Transfer. Lesson: even well-resourced organisations fall to malware; layered defence + tested recovery is the only reliable strategy.

Five complementary detection techniques: (1) **Signature detection** — matches known malicious file hashes or code patterns (effective against widespread malware, bypassed by polymorphism and zero-days), (2) **Heuristic analysis** — looks for suspicious code structures or API calls, (3) **Behavioural analysis** — monitors what processes do at runtime (modern EDR/XDR primary technique), (4) **Sandbox detonation** — runs suspicious files in isolated environment to observe behaviour (Defender for O365, Proofpoint, Mandiant), (5) **Machine learning models** — trained on millions of samples to spot novel malware. Combination is key: no single technique catches everything. Modern endpoint protection products combine all five.

Layered defence — eight controls: (1) **EDR/XDR** with behaviour-based detection (CrowdStrike, SentinelOne, Defender, Sophos), (2) **Aggressive patching** — most malware exploits known CVEs, especially in browsers, Office, and edge devices, (3) **Email security** with sandbox detonation and impersonation detection, (4) **Application allow-listing** — Windows Defender Application Control, AppLocker, (5) **Restrict macros** — block Office macros from internet by default, (6) **MFA on every account** — limits damage from credential theft, (7) **Network segmentation** — slows lateral movement and limits blast radius, (8) **User awareness** with phishing simulations. Plus: immutable backups, 24/7 SOC monitoring, and tested incident response plan.

Fileless malware is malicious activity that runs entirely in memory using legitimate system tools — typically PowerShell, WMI, .NET assemblies, or Office macros — without writing executable files to disk. Common techniques: in-memory PowerShell payloads, reflective DLL injection, process hollowing, COM hijacking. Why it evades traditional defences: (1) signature-based AV looks for malicious *files* and finds none, (2) the activity uses tools already trusted by the OS, (3) memory-resident code disappears on reboot, leaving no forensic artefacts. Detection requires: behavioural EDR/XDR (process tree analysis, command-line monitoring), PowerShell and Sysmon logging, anomaly detection, and threat hunting. The 2025 CrowdStrike Threat Report attributed 75% of intrusions to fileless or LotL (Living-off-the-Land) techniques.