The 12 Types of Malware Every User Should Know (2026 Guide)

Malware — short for malicious software — is the umbrella term for any code written to harm, exploit, or covertly use a computing device. The word covers everything from a simple browser hijacker to a nation-state surveillance toolchain. According to AV-TEST's malware statistics dashboard updated in March 2026, more than 1.4 billion malware samples have been recorded in the lab's reference set since 1984, and roughly 450,000 new samples are seen daily across Windows, macOS, and Android. Understanding the major categories is the foundation of every modern security strategy because detection, removal, and prevention each depend on the malware's behavior, not its name.

Last updated: April 25, 2026 — Reviewed by Sarah Lin (GCTI)

Quick Answer / TL;DR

• Malware = umbrella term; "virus" is one specific subtype.
• The 12 categories split cleanly into four behavioral families:
  • Self-replicating: viruses, worms
  • Stealthy / backdoor: trojans, rootkits, bootkits, fileless malware
  • Profit-driven: ransomware, info-stealers, banking trojans, cryptojackers, adware
  • Disruptive / surveillance: spyware/keyloggers, wipers, RATs, botnets, scareware
• Independent lab top-rated antivirus products detect over 99 percent of zero-day samples in AV-TEST's December 2025 Home Windows test.
• Defense is always layered: patching, software hygiene, top-tier antivirus, MFA, and offline backups.

How Malware Is Classified

There is no single official taxonomy. Vendors, researchers, and standards bodies group malware differently, but most categorize by primary behavior:

Behavioral Family	What Defines It	Examples
Self-replicating	Spreads itself without user help	Viruses, worms
Stealthy / backdoor	Hides and grants persistent access	Trojans, rootkits, fileless
Profit-driven	Direct monetization of the victim	Ransomware, info-stealers, cryptojackers
Disruptive / surveillance	Damage, chaos, or covert observation	Wipers, spyware, RATs, botnets

The four-family model is what we use throughout this guide. Many real-world malware families fit more than one box — Emotet was a banking trojan, then a loader; LockBit is ransomware delivered through trojan loaders — but the taxonomy below maps cleanly to how independent labs structure their tests.

Family 1: Self-Replicating Malware

1. Computer Viruses

A computer virus is malicious code that inserts copies of itself into other files and runs whenever those host files are executed. Viruses dominated the 1980s and 1990s through floppy disks and email attachments. They are uncommon as a sole malware type in 2026 but the term lives on as consumer shorthand. The technical definition is narrow: self-replicating + host-attached. Modern examples are mostly macro-based. Historical: Melissa (1999), ILOVEYOU (2000), Storm (2007).

2. Worms

A worm spreads by itself across networks by exploiting vulnerabilities in operating systems or services — no user action required. WannaCry (May 2017) used the EternalBlue SMB exploit and infected 200,000+ systems across 150+ countries within days. NotPetya (June 2017) caused damage estimated by the U.S. government at more than USD 10 billion globally. The lesson: any unpatched, internet-exposed service is a worm vector.

Family 2: Stealthy & Backdoor Malware

3. Trojans

A trojan is malware disguised as a legitimate file or app. It does not self-replicate; it relies on the user to install it. Trojans are the largest single category in current AV-TEST statistics. They exist mainly as a delivery vehicle: a banking trojan, an info-stealer, a ransomware loader. We have a full breakdown in our trojan virus explainer, including the eight major sub-types.

4. Rootkits

A rootkit hooks deep into the operating system — often at the kernel level — to hide files, processes, and network connections from security software. A kernel-mode rootkit can survive a normal scan because it lies to the scanner about what is on disk. Modern OS protections such as Microsoft Secure Boot and Apple's Signed System Volume make kernel rootkits harder to install on up-to-date systems.

5. Bootkits

A bootkit is a rootkit that infects the boot process — MBR, UEFI firmware, or the bootloader — so the malicious code loads before the OS. The 2022 Black Lotus UEFI bootkit, documented by ESET, was the first publicly known UEFI bootkit in the wild that could bypass Secure Boot on fully patched Windows 11. Removal often requires firmware reflashing.

6. Fileless Malware

Fileless malware runs entirely in memory by abusing legitimate system tools — PowerShell, WMI, .NET, mshta.exe — leaving little or no payload on disk. Microsoft's Digital Defense Report 2024 notes fileless techniques in a substantial share of incident-response engagements, often combined with stolen credentials.

Family 3: Profit-Driven Malware

7. Ransomware

Ransomware encrypts files and demands payment for the decryption key. Modern ransomware is overwhelmingly double-extortion: data is exfiltrated before encryption, so even victims with good backups face a leak threat. IBM's Cost of a Data Breach Report 2024 put the average ransomware breach cost at roughly USD 4.9 million. CISA's Stop Ransomware is the most actively maintained U.S. government guidance. Notable families: WannaCry (2017), Ryuk (2018), REvil (disrupted 2021), Conti (collapsed 2022), LockBit (disrupted by Operation Cronos in February 2024).

8. Info-Stealers

Info-stealers harvest browser passwords, session cookies, autofill data, and cryptocurrency wallets, then ship the haul as a compressed log. RedLine, Vidar, Raccoon, and Lumma dominate in 2025–2026. Info-stealer logs are the most common precursor to corporate intrusions, including the 2024 Snowflake-customer breach wave (Ticketmaster, Santander, AT&T) per Mandiant's June 2024 advisory.

9. Banking Trojans

Banking trojans focus on financial credentials, often by injecting fake fields into legitimate banking websites or capturing one-time codes from SMS. Zeus (2007), TrickBot (2016), and Emotet (2014) are the canonical examples. The category overlaps with info-stealers but is distinguished by the depth of in-page injection and bank-specific configurations.

10. Cryptojackers

A cryptojacker uses the victim's CPU or GPU to mine cryptocurrency for the attacker. Surged in 2017–2018, declined as Monero made browser-mining unprofitable, then resurfaced as server-side cryptojacking against cloud infrastructure. Consumer impact is mostly degraded performance and elevated power bills.

11. Adware

Adware displays unwanted advertisements by injecting them into web pages, redirecting search results, or popping overlays. Modern adware overlaps with adware-spyware when the same code also tracks behavior. Most major AV vendors now block aggressive adware by default.

Family 4: Disruptive & Surveillance Malware

12. Spyware (and Keyloggers, RATs, Stalkerware)

Spyware observes the user — keystrokes, microphone, camera, GPS, files — and ships the data to a third party. Sub-types include keyloggers, stalkerware, infostealers (which we have separated above for the profit angle), and commercial mercenary spyware such as Pegasus. Our spyware guide covers detection and removal in detail.

Bonus: Other Categories You'll See Named

While the 12 above are the most useful for consumer defense, several other named categories appear in industry reporting:

• Wipers — destroy data instead of encrypting it. NotPetya (2017) and several Russia-linked operations against Ukrainian targets in 2022 onward fit this pattern.
• RATs (Remote Access Trojans) — give attackers full control. Covered as a sub-category of trojans in our trojan virus guide.
• Botnets — networks of compromised hosts (bots) used for DDoS, spam, and credential stuffing. Mirai (2016) infected hundreds of thousands of IoT devices and produced what was, at the time, the largest DDoS in history.
• Scareware — fake "your PC is infected" pop-ups that pressure users into installing or paying. Often a delivery vehicle for actual malware or for support-scam phone fraud.

Comparison Table: All 12 Types at a Glance

#	Type	Family	Self-Replicates?	Primary Goal	Famous Example
1	Virus	Self-replicating	Yes (via host file)	Damage / spread	ILOVEYOU (2000)
2	Worm	Self-replicating	Yes (via network)	Spread	WannaCry (2017)
3	Trojan	Stealthy	No	Deliver other malware	Emotet (2014)
4	Rootkit	Stealthy	No	Hide other malware	ZeroAccess
5	Bootkit	Stealthy	No	Persist before OS	Black Lotus (2022)
6	Fileless	Stealthy	No	Evade disk scans	Various PowerShell campaigns
7	Ransomware	Profit-driven	No (usually)	Encrypt + extort	LockBit, Conti
8	Info-Stealer	Profit-driven	No	Harvest credentials	RedLine, Lumma
9	Banking Trojan	Profit-driven	No	Steal financials	Zeus, TrickBot
10	Cryptojacker	Profit-driven	Sometimes	Mine cryptocurrency	XMRig variants
11	Adware	Profit-driven	No	Force ads / track	HiddenAds (Android)
12	Spyware	Surveillance	No	Surveil user	Pegasus, RedLine (overlap)

How Malware Is Detected

Independent labs measure antivirus performance along three core axes:

Axis	What It Measures
Protection	Detection rate against zero-day samples and known malware
Performance	Slowdown of common system tasks (file copy, browsing, install, launch)
Usability	False positives on clean software, websites, and downloads

The AV-TEST December 2025 Home Windows test reported that the top six consumer products — Avast, Avira, Bitdefender, Kaspersky, McAfee, and Norton — all scored 6.0/6.0 on Protection. The differences between top-rated antivirus solutions are usually clearer on Performance and Usability. For comparable AV-Comparatives results, look at the Real-World Protection Test and Malware Protection Test with Advanced+ certifications. SE Labs publishes Total Accuracy Ratings (AAA being the top tier) on a quarterly cadence.

How to Defend Against the Different Types

There is no single silver bullet for any malware family — defenses are always layered:

Defense Layer	Why It Matters	Effective Against
OS + browser auto-update	Closes the windows worms and exploit kits abuse	Worms, fileless, drive-by trojans
Default-deny Office macros	Removes the dominant phishing payload trigger	Trojans, ransomware loaders
Top-rated antivirus	Catches both known and zero-day across categories	All 12
Application allowlist (advanced)	Blocks unsigned or unknown executables	Trojans, ransomware
Multi-factor authentication	Renders stolen credentials less useful	Info-stealers, banking trojans
Password manager	Limits cross-site damage from one compromise	Info-stealers
Offline backups	Removes ransomware leverage	Ransomware, wipers
Mobile install discipline	Stops side-loaded payloads	Mobile trojans, stalkerware
Browser extension audit	Removes covert tracking and adware	Adware, spyware
Permission audit	Limits the data any one app can access	Spyware, mobile RATs

This list intentionally mixes free, built-in measures (auto-update, MFA, backups) with paid solutions (top-tier antivirus). The single most effective layer for the average user is consistent patching plus an AV-TEST top-rated antivirus that has earned recent independent certifications. Our best antivirus rankings compile recent lab results with no paid placements.

FAQs

What are the most common types of malware?

The most prevalent in 2026 are trojans, info-stealers, ransomware, and adware. AV-TEST classifies trojans as the largest single category, accounting for the majority of new Windows samples each month, while ransomware drives the largest financial impact per incident.

What is the difference between a virus and malware?

Malware is the umbrella term for all malicious software. A virus is one specific type of malware that self-replicates by attaching itself to other files. Worms, trojans, ransomware, spyware, rootkits, and adware are all malware but are not viruses in the technical sense, even though the word "virus" is often used loosely in consumer language.

What is the most dangerous type of malware?

Ransomware causes the largest financial impact per incident — IBM's Cost of a Data Breach 2024 report put the average ransomware breach cost at roughly USD 4.9 million. However, info-stealers and rootkits can be more dangerous to long-term security because they often go undetected for months and enable downstream attacks, including ransomware itself.

How are different types of malware delivered?

The most common delivery methods in 2026 are phishing emails with macro-laced documents, malicious links in messaging apps, drive-by downloads from compromised or malvertising-laced websites, cracked software and game cheats, and side-loaded mobile apps. Worms continue to spread by exploiting unpatched network services.

Can a single antivirus protect against all types of malware?

Yes, modern antivirus suites are designed to handle every category in this guide using a combination of signature, heuristic, behavioral, and cloud-reputation detection. Independent labs such as AV-TEST and AV-Comparatives test detection across all categories simultaneously, and the top-rated products score above 99 percent against zero-day samples.

What is fileless malware?

Fileless malware runs entirely in memory, often using legitimate system tools like PowerShell or Windows Management Instrumentation, leaving little or no payload on disk. It is harder for signature-only scanners to catch, which is why behavior-based detection has become a baseline expectation in any top-rated antivirus.

The Bottom Line

The honest takeaway from a 2026 malware tour is that the categories matter less than the delivery patterns. Phishing, cracked software, side-loaded apps, unpatched services, and weak credential reuse account for the overwhelming majority of consumer infections regardless of whether the final payload is a trojan, ransomware, an info-stealer, or a rootkit. Independent labs evaluate antivirus products against all 12 categories at once, and the top-rated solutions are effective across the board — the differentiator is rarely raw detection but rather performance impact, false-positive rate, and pricing transparency.

If you are evaluating antivirus right now, start with our best antivirus rankings, which consolidate AV-TEST, AV-Comparatives, and SE Labs data with no paid placements. If you want to keep building the foundation, our companion explainers on trojan viruses, spyware, and the warning signs of an infected computer cover the categories that drive the highest volume of real-world incidents.