What Is a Trojan Virus? Types, Examples & Removal Guide (2026)

A trojan virus is malicious software that disguises itself as a legitimate file, app, or update so a user will install it voluntarily. Once running, it performs hidden actions — stealing passwords, logging keystrokes, opening backdoors, or downloading more malware. According to the AV-TEST Malware Statistics dashboard updated in March 2026, trojans accounted for roughly 58 percent of all newly observed Windows malware samples in 2025, the highest share of any single category. The term comes from Homer's Trojan Horse: the gift looks harmless until it is already inside.

Last updated: April 25, 2026 — Reviewed by Sarah Lin (GCTI)

Quick Answer / TL;DR

• A trojan does not self-replicate. It relies on social engineering to be installed.
• It is a type of malware, not technically a virus, though the term is widely used interchangeably.
• The 8 main families are backdoor, banking, downloader, dropper, RAT, info-stealer, rootkit, and ransomware trojans.
• Top infection vectors in 2026 are phishing attachments, cracked software, and malvertising.
• Removal is usually possible with an AV-TEST top-rated antivirus running in safe mode, plus a credential reset from a clean device.

Trojan Virus vs. Other Malware: What Makes It Different

The defining trait of a trojan is deception, not propagation. A virus inserts copies of itself into other files. A worm propagates across networks by exploiting vulnerabilities. A trojan does neither on its own. It sits inside a host file — an installer, a Word document with macros, a game patch — and waits for a human to execute it.

Once executed, the trojan often acts as a launcher. It may download a second-stage payload from a C2 server, drop a rootkit, or sit dormant for weeks. A single trojan can lead to multiple downstream issues: a banking trojan may install a keylogger, which exfiltrates credentials to an attacker who later deploys ransomware on the same machine.

The U.S. CISA treats trojans as a priority category in its Stop Ransomware guidance because ransomware is so frequently delivered through trojan loaders such as Emotet and IcedID.

The 8 Main Types of Trojan Malware

Different trojans have different goals. The table below summarizes the eight families that account for the vast majority of detections in independent lab feeds.

Trojan Type	Primary Goal	Common Examples	Typical Infection Vector
Backdoor Trojan	Open remote access for the attacker	Back Orifice, PoisonIvy	Cracked software, phishing
Banking Trojan	Steal online banking credentials	Zeus, TrickBot, Emotet (loader)	Macro-laced Office documents
Downloader Trojan	Pull additional malware from a C2 server	SmokeLoader	Drive-by downloads
Dropper Trojan	Decrypt and install a packed payload	Various	Pirated installers
Remote Access Trojan (RAT)	Full graphical control of the host	DarkComet, NjRAT	Game mods, Discord links
Info-Stealer Trojan	Harvest browser cookies, passwords, crypto wallets	RedLine, Vidar, Raccoon	Cracked software, fake AI tools
Rootkit Trojan	Hide other malware from the OS and AV	ZeroAccess	Bundled with droppers
Ransomware Trojan	Encrypt files and demand payment	LockBit (delivery stage)	Email attachments, RDP brute force

Backdoor Trojans

A backdoor trojan creates a persistent, often encrypted channel that lets an attacker connect back to the compromised machine on demand. The attacker can browse files, run commands, install more software, or pivot into a corporate network. Initial access brokers favor backdoors because access can be sold to multiple buyers.

Banking Trojans

Banking trojans focus on financial credentials. Families like Zeus inject fake fields into legitimate banking websites, hijack transactions in flight, or capture one-time codes from SMS. The Verizon 2025 Data Breach Investigations Report noted that financially motivated incidents made up 95 percent of all breaches in its dataset.

Downloader and Dropper Trojans

A downloader fetches the real payload from the internet at runtime. A dropper carries the payload inside its own binary in encrypted form. Both exist to defeat static signature scanning: the file you double-click looks harmless until the second stage executes. Modern droppers often unpack only in memory.

Remote Access Trojans (RATs)

A RAT gives an attacker keyboard, mouse, webcam, and microphone control. Off-the-shelf RAT kits sell on underground forums for low double-digit dollar amounts. Many RAT operators are caught when they reuse the same C2 infrastructure across hundreds of victims.

Info-Stealer Trojans

Info-stealers are the fastest-growing trojan category in 2025–2026. They harvest browser-saved passwords, session cookies, autofill data, and cryptocurrency wallet files, then ship the haul as a compressed log. Info-stealer logs are now the most common precursor to corporate intrusions.

Rootkit Trojans

A rootkit trojan hooks deep into the operating system — often at the kernel or boot level — to hide files, registry keys, and processes. Rootkits are why a clean reinstall is sometimes the only safe remediation: a kernel-mode rootkit can lie to a scanner about what is on disk.

Ransomware Trojans

Strictly speaking, ransomware is its own malware category, but in real-world infection chains it almost always arrives as a trojan. The user opens what looks like an invoice, the dropper unpacks the encryptor, and within minutes files are unreadable.

Famous Real-World Trojan Examples

• Zeus (2007 onward). One of the most influential banking trojans. Source code leaked publicly in 2011 and spawned derivatives still circulating today.
• Emotet (2014–2021, resurgent). Banking trojan turned modular loader. Disrupted by an international operation in January 2021, observed returning later that year.
• TrickBot (2016 onward). Modular banking trojan used as a precursor to Conti ransomware. Core infrastructure disrupted by Microsoft and partners in October 2020.
• DarkComet RAT (2008 onward). Surveillance-grade RAT abused by both criminals and nation-state actors. Author halted development in 2012.
• RedLine Stealer (2020 onward). Malware-as-a-service. Linked to the 2024 Snowflake-customer breach wave (Ticketmaster, Santander, AT&T) per Mandiant's June 2024 advisory.

These examples are drawn from public reporting. The underlying technique — disguised social engineering — is what real protection must address.

How to Tell If You Have a Trojan: Common Symptoms

Most modern trojans are quiet, but watch for:

• Unexpected outbound network traffic when the system is idle
• New scheduled tasks or services you did not create
• Browser extensions or autofill entries you do not recognize
• Antivirus suddenly disabled, or exclusions you did not add
• Unfamiliar logins in bank or email account history
• Crypto wallets showing unauthorized withdrawals

A full symptom checklist is in our warning signs of a virus guide.

How to Remove a Trojan Virus: Step-by-Step

Removing a trojan is rarely glamorous, but the playbook is well established. The following steps assume Windows; the high-level logic applies to macOS and Android as well.

1. Disconnect from the network. Pull Wi-Fi and Ethernet to stop ongoing exfiltration and prevent the trojan from receiving new commands.
2. Boot into Safe Mode with Networking. Many trojans rely on user-mode hooks that do not load in safe mode, making them easier to detect.
3. Run a full scan with a top-tier antivirus. Use a tool that has earned recent AV-TEST or AV-Comparatives top scores. Quarantine, then delete, anything flagged.
4. Run a second-opinion scanner. A different engine catches detections the first one missed. This is standard incident response practice.
5. Inspect persistence mechanisms. Check Task Scheduler, Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), Services, and the Startup folder for unfamiliar entries.
6. Reset all passwords from a clean device. Assume any credentials saved in browsers were stolen. Prioritize email, banking, and any accounts without multi-factor authentication.
7. Patch and reboot. Apply pending Windows and application updates so the same vulnerability cannot be reused.
8. If the trojan is a rootkit or you cannot remove it cleanly, reinstall the OS. This is faster and safer than chasing kernel-mode persistence.

For mobile devices, the equivalent flow is to reboot into safe mode (long-press power, then long-press "Power off" on most Android builds), uninstall recent unknown apps, and run a reputable mobile antivirus. iOS trojans are rare on non-jailbroken devices; the most common "iPhone trojan" alerts are scareware, not real infections.

How Antivirus Software Detects Trojans

Independent labs measure trojan detection along three axes:

Detection Method	What It Catches	Limitation
Signature-based	Known trojan binaries	Bypassed by simple repacking
Heuristic / static analysis	Suspicious code patterns	Can produce false positives
Behavior-based / sandbox	Trojans whose runtime actions match malicious patterns	Higher CPU cost
Cloud reputation	Files that are new, rare, or from suspicious domains	Requires connectivity
Machine learning models	Polymorphic and zero-day variants	Quality depends heavily on training data

The AV-TEST December 2025 Home Windows test reports that the top six consumer products — Avast, Avira, Bitdefender, Kaspersky, McAfee, and Norton — all scored 6.0/6.0 on the Protection axis, detecting 100 percent of the 0-day samples used in the test. The differences are usually clearer on the Performance and Usability axes, which are covered in our best antivirus rankings based on independent lab data.

How to Prevent Trojan Infections

Prevention is layered. None of the following is sufficient alone, but together they push trojan success rates very low.

• Install software only from official stores or vendor sites. Cracked installers are the single largest trojan vector.
• Disable Office macros by default. Enable only for verified senders.
• Keep auto-updates on for your OS, browser, and PDF reader. Many trojans rely on patched vulnerabilities home users have not applied.
• Use an AV-TEST top-rated antivirus and keep it enabled. Disabled real-time protection is the #1 finding in post-breach reviews.
• Use a password manager and unique passwords. This contains the blast radius if an info-stealer harvests one machine.
• Enable multi-factor authentication on email, banking, and cloud accounts.
• Back up important files offline (disconnected external drive or versioned cloud). This neutralizes ransomware trojans.

FAQs

What is a trojan virus in simple terms?

A trojan virus is malicious software disguised as a legitimate file or app. Unlike a true computer virus, it does not self-replicate. It tricks the user into installing it, then performs hidden actions such as stealing passwords, opening backdoors, or downloading additional malware. The name comes from the Trojan Horse of Greek mythology.

Is a trojan a virus or malware?

Technically, a trojan is malware, not a virus. The terms are often used interchangeably in consumer software, but a virus self-replicates by attaching to other files, while a trojan relies entirely on social engineering. Security vendors classify trojans under the broader malware umbrella alongside worms, ransomware, and spyware.

How do trojans get on your computer?

The most common vectors are phishing email attachments, fake software downloads from unofficial sites, malvertising on compromised websites, cracked software and game cheats, and bundled installers that hide additional payloads. Mobile trojans are increasingly delivered through unofficial APK files and fake utility apps that briefly appear in official stores before being removed.

Can a trojan virus be removed?

Yes, in most cases. Run a scan with a top-tier antivirus engine in safe mode, review the quarantine list, and reboot. For persistent or rootkit-style trojans, use a dedicated removal tool, a bootable rescue disk, or restore from a clean backup. After removal, change every password from a clean device and enable multi-factor authentication.

Are trojans illegal to make or distribute?

Yes. In the United States, distributing a trojan that accesses a computer without authorization violates the Computer Fraud and Abuse Act (18 U.S.C. § 1030). Most other countries have similar laws. Researchers may build proof-of-concept trojans in isolated lab environments, but deploying one against a system you do not own is criminal.

What is the difference between a trojan and a worm?

A worm spreads on its own across networks by exploiting vulnerabilities; it needs no user action. A trojan does not spread autonomously and depends on the victim running the disguised file. A trojan can drop a worm as a secondary payload, but the two are distinct categories in any major lab classification, including AV-TEST and AV-Comparatives.

The Bottom Line

A trojan virus is the oldest trick in the malware playbook because it works on the one component no patch can fix: human trust. The good news is that the same techniques that have foiled trojans for decades — patched software, default-deny macros, a competent antivirus, and basic credential hygiene — still work in 2026. None of them is glamorous, and none of them sells well, which is why most "best protection" content jumps straight to product names. The honest answer is that the product matters less than the layering.

For a deeper view of the broader malware landscape, see our companion guides on the 12 types of malware every user should know and warning signs your computer has a virus. When you are ready to compare specific products on the basis of independent lab data rather than affiliate hype, our best antivirus rankings consolidate AV-TEST, AV-Comparatives, and SE Labs results in one place.