Malware Targeting Endpoints: Trojans, Spyware, Rootkits, and Wipers

Endpoints — workstations, laptops, servers, and mobile devices — represent the primary attack surface for malware campaigns that range from credential theft to infrastructure destruction. Four malware categories dominate endpoint threat intelligence reporting: trojans, spyware, rootkits, and wipers. Each operates through a distinct mechanism, persists differently within the host, and demands a correspondingly different defensive posture. Understanding their classification boundaries is essential for security architects, incident responders, and compliance personnel selecting controls under frameworks such as NIST SP 800-53 and CISA guidance.

Definition and scope

Malware targeting endpoints is defined by NIST as software that compromises the confidentiality, integrity, or availability of a system (NIST SP 800-83 Rev. 1, "Guide to Malware Incident Prevention and Handling"). Within that broad category, the four families addressed here represent distinct threat archetypes:

Trojans are malicious programs disguised as legitimate software. Unlike viruses or worms, they do not self-replicate; instead, they rely on user execution or supply chain delivery. Trojans frequently serve as initial access payloads that then download secondary malware, establish command-and-control channels, or install remote access tools (RATs).

Spyware collects user or system data — keystrokes, screenshots, clipboard content, browser credentials — and exfiltrates it to an external destination. Spyware may operate as a standalone payload or as a functional module within a broader trojan framework.

Rootkits operate at the kernel, hypervisor, bootloader, or firmware level, modifying operating system behavior to conceal the presence of other malware or attacker activity. Kernel-mode rootkits represent the most technically sophisticated variant because they execute at the same privilege level as the OS itself.

Wipers are destructive payloads designed to render data or systems irrecoverable. Unlike ransomware, wipers carry no financial motive; their objective is operational disruption or denial. CISA has documented wiper deployment in nation-state campaigns targeting critical infrastructure (CISA Alert AA22-057A).

The endpoint threat landscape establishes why these four categories consistently rank among the highest-priority risks across sectors.

How it works

Each malware category follows a recognizable operational lifecycle, though execution paths differ substantially.

Trojan delivery and execution typically proceeds through:

1. Initial delivery — phishing email attachment, drive-by download, or software supply chain compromise.
2. User or system execution — the trojan binary runs under user or elevated privileges.
3. Payload staging — secondary payloads (spyware, ransomware, RATs) are downloaded or unpacked.
4. Command-and-control (C2) establishment — an encrypted channel (commonly HTTPS or DNS tunneling) contacts an attacker-controlled server.
5. Lateral movement or persistence — scheduled tasks, registry run keys, or service installation maintain presence.

Spyware typically operates with lower system privileges than rootkits, hooking input APIs (such as SetWindowsHookEx on Windows) or scraping memory for credentials. It exfiltrates data through encrypted channels to minimize detection by network monitoring tools.

Rootkits intercept operating system calls to hide files, processes, and network connections. Bootkit variants — a subtype of rootkit — infect the Master Boot Record (MBR) or UEFI firmware, executing before the OS loads and surviving OS reinstallation. The NSA/CISA joint advisory on UEFI threats (NSA CSI, "Boot Security") identifies firmware-level persistence as a particularly difficult detection problem.

Wipers either overwrite the MBR, recursively delete and overwrite file contents using multiple-pass algorithms, or corrupt partition tables. Industrial-sector variants documented in CISA advisories have targeted operational technology (OT) environments, extending destructive reach beyond IT endpoints.

Fileless malware endpoint defense addresses a hybrid category in which trojan-like behaviors execute entirely in memory, bypassing disk-based detection.

Common scenarios

Deployment patterns across these four malware types reflect attacker objectives and target sector:

• Financial sector: Banking trojans (such as the TrickBot family, documented by CISA and FBI in Alert AA20-302A) target credential stores, browser-saved passwords, and online banking sessions. Spyware modules capture multi-factor authentication tokens during active sessions.
• Government and defense: Rootkits and firmware implants are associated with nation-state intrusion sets. The 2020 SolarWinds campaign, attributed by the FBI, CISA, NSA, and ODNI in joint statement, demonstrated how trojan-stage access enabled long-term persistent implants across federal endpoints (CISA, "SolarWinds and Active Exploitation").
• Critical infrastructure and OT: Wiper malware has been deployed against energy sector targets, as documented in CISA advisories covering industrial control system (ICS) environments. These cases are addressed in detail within endpoint security for critical infrastructure.
• Healthcare: Spyware targeting electronic health records (EHR) workstations triggers HIPAA breach notification requirements under 45 CFR §§ 164.400–164.414, because unauthorized exfiltration of protected health information (PHI) constitutes a reportable breach regardless of encryption status.
• Small business: Trojan-as-a-Service (TaaS) kits sold on criminal marketplaces lower the technical barrier for attacks against organizations with limited security operations capacity. Endpoint security for small business addresses proportionate control selection for this segment.

Decision boundaries

Distinguishing between these malware classes drives control selection, incident response prioritization, and regulatory reporting obligations.

Trojan vs. wiper: A trojan is characterized by covert persistence and continued attacker access; a wiper terminates its own utility after execution. Incident responders encountering irreversible disk corruption without a ransom note should immediately consider wiper attribution, which changes incident response to a recovery-first posture rather than containment-and-eradication.

Spyware vs. trojan: All spyware can be delivered via trojan, but not all trojans deploy spyware. The distinguishing test is data exfiltration — spyware produces outbound network traffic to external collection infrastructure. Network forensics showing unusual encrypted outbound sessions from an endpoint, particularly to newly registered or geographically anomalous domains, is the primary indicator.

Kernel-mode rootkit vs. user-mode rootkit: Kernel-mode rootkits require OS-level privileges and are substantially harder to detect and remove. User-mode rootkits (which hook user-space APIs) can typically be addressed with standard endpoint detection and response tooling. Kernel-mode variants often necessitate offline forensic analysis and full OS reinstallation; firmware rootkits may require hardware-level remediation.

Regulatory classification boundaries: The Cybersecurity Maturity Model Certification (CMMC) framework, administered by the Department of Defense under 32 CFR Part 170, requires organizations handling Controlled Unclassified Information (CUI) to implement malware detection and reporting controls that explicitly cover trojan, spyware, and rootkit categories. FedRAMP authorization requirements reference NIST SP 800-53 controls SI-3 (Malicious Code Protection) and SI-7 (Software, Firmware, and Information Integrity), both of which are directly implicated by rootkit and wiper threats.

Behavioral analytics endpoint security addresses detection methodologies that operate independently of signature-based classification — critical when zero-day variants of these four malware families are deployed before vendor signature updates are available.

References

• NIST SP 800-83 Rev. 1 — Guide to Malware Incident Prevention and Handling
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
• CISA Alert AA22-057A — Destructive Malware Targeting Organizations in Ukraine
• CISA Alert AA20-302A — TrickBot Malware
• CISA — SolarWinds and Active Exploitation Joint Statement
• NSA Cybersecurity Advisories and Guidance
• HHS — HIPAA Breach Notification Rule, 45 CFR §§ 164.400–164.414
• DoD CMMC — 32 CFR Part 170
• [CISA — Malware, Phishing, and Ransomware Resources](https://www.cisa.gov/