Malware Targeting Endpoints: Trojans, Spyware, Rootkits, and Wipers

Endpoint devices — workstations, servers, mobile systems, and virtual machines — are the primary targets of malware campaigns that seek unauthorized access, persistent surveillance, privilege escalation, and irreversible data destruction. Four malware classes dominate the endpoint threat landscape in both enterprise and federal contexts: trojans, spyware, rootkits, and wipers. Each operates through distinct mechanisms, pursues different objectives, and triggers different detection and response obligations under frameworks such as NIST SP 800-83 and CISA guidance. The endpoint security providers on this domain catalog service providers organized by the threat categories described here.

Definition and scope

Malware targeting endpoints is classified by behavioral intent, persistence mechanism, and the stage of the attack lifecycle at which it operates. The four classes covered here span the full spectrum from initial access enablement through long-term surveillance, privilege escalation, and destructive payload delivery.

Trojans are malicious programs disguised as or bundled with legitimate software. Unlike viruses or worms, trojans do not self-replicate; they rely on social engineering or supply chain compromise for delivery. NIST SP 800-83 Rev. 1, "Guide to Malware Incident Prevention and Handling" classifies trojans as a distinct malware category characterized by deceptive presentation. Subtypes include remote access trojans (RATs), banking trojans, and dropper trojans, which deliver secondary payloads after execution.

Spyware is software that covertly collects information from an endpoint — keystrokes, credentials, screen content, microphone or camera input, and browsing history — and transmits it to a remote actor. The FTC has pursued enforcement actions under Section 5 of the FTC Act against distributors of spyware that fails to disclose its data collection behavior (FTC, "Spyware" enforcement history).

Rootkits are malware components designed to conceal the presence of other malicious code or attacker activity by subverting the operating system, hypervisor, or firmware layer. NIST SP 800-83 distinguishes kernel-mode rootkits, user-mode rootkits, and bootkit variants that persist below the OS at the master boot record or UEFI firmware level.

Wipers are destructive payloads engineered to overwrite or corrupt data and, in advanced variants, firmware — rendering systems unrecoverable. CISA has issued multiple advisories naming wiper malware in nation-state campaigns, including CISA Alert AA22-057A covering WhisperGate and HermeticWiper deployed against Ukrainian infrastructure in 2022. Wipers are distinguished from ransomware by the absence of a recovery mechanism: the destruction is the objective, not leverage.

How it works

Each malware class follows a distinct execution and persistence model. The numbered breakdown below maps each class to its primary operational phases:

1. Trojan — Delivery and Remote Control: A trojan arrives via phishing attachment, malicious download, or compromised installer. Upon execution, it establishes a command-and-control (C2) channel, often over ports 80 or 443 to blend with legitimate HTTPS traffic. The attacker then uses the C2 connection to issue commands, exfiltrate data, or deploy additional payloads. Remote access trojans provide full interactive shell access; banking trojans inject code into browser processes to intercept financial credentials.

2. Spyware — Silent Collection and Exfiltration: Spyware operates as a background process with minimal system footprint. Keyloggers capture input at the driver or API hooking level; screen capture modules transmit periodic screenshots; credential harvesters target browser-stored passwords and OS credential stores such as Windows LSASS. Data is exfiltrated in encrypted form to attacker-controlled infrastructure, frequently using legitimate cloud services to evade network-based detection.

3. Rootkit — Privilege Persistence and Concealment: A kernel-mode rootkit loads into ring-0 privilege, giving it the same trust level as the OS kernel. It intercepts system calls to hide files, processes, and network connections from security tools operating at user-mode (ring-3). UEFI rootkits — also called bootkits — persist in firmware and survive OS reinstallation. NIST SP 800-155 addresses BIOS integrity measurement as a countermeasure to firmware-resident threats.

4. Wiper — Destructive Payload Execution: Wipers overwrite the master boot record, target specific file extensions with null-byte overwrites, or issue low-level disk commands that corrupt partition tables. Advanced variants, such as Industroyer2 (documented in CISA Advisory AA22-110A), extend destruction to industrial control system protocols, targeting operational technology endpoints directly.

Common scenarios

Supply chain trojan delivery involves a trojan embedded in a software update or third-party dependency. The SolarWinds Orion incident, addressed in CISA Emergency Directive 21-01, demonstrated how a build-process compromise can distribute trojaned software to thousands of organizations simultaneously before behavioral detection triggers.

Spyware deployed in corporate espionage targets endpoints of employees with access to trade secrets, merger negotiations, or source code repositories. The spyware persists for extended dwell times — IBM's X-Force Threat Intelligence Index has documented median dwell times exceeding 200 days in some sectors — collecting data before discovery.

Rootkit-assisted APT persistence is a scenario where an advanced persistent threat actor uses a kernel rootkit to maintain access to a compromised endpoint after perimeter detection has removed surface-level indicators of compromise. The identifies this persistence model as a primary driver of CDM Program endpoint detection requirements.

Wiper deployment in critical infrastructure attacks is a disruptive scenario where wipers are staged inside operational networks weeks before activation, then triggered simultaneously across multiple endpoints to maximize recovery complexity. CISA has documented this pattern in alerts covering attacks on energy sector and government networks.

Decision boundaries

Distinguishing between these four malware classes — and choosing appropriate detection and response postures — depends on behavioral indicators rather than static signatures alone.

Trojan vs. legitimate remote management software: Both establish persistent remote access channels. The distinguishing factor is user awareness and authorization. Enterprise endpoint detection and response (EDR) platforms aligned with MITRE ATT&CK Tactic TA0011 (Command and Control) flag unauthorized C2 beaconing patterns regardless of whether the tool is a recognized remote access utility.

Spyware vs. monitoring software: Employer-deployed monitoring tools and spyware share collection behaviors. Regulatory differentiation turns on disclosure and consent. Under HIPAA, monitored endpoints processing protected health information require specific safeguards (45 CFR §164.312); the FTC Act applies to consumer-facing deployments.

Rootkit vs. legitimate kernel driver: Both operate at kernel privilege. Security teams use NIST SP 800-155 BIOS/UEFI measurement and Secure Boot attestation to establish a baseline of authorized kernel-level code. Deviations from the measured baseline indicate rootkit activity.

Wiper vs. ransomware: Ransomware preserves encrypted data to enable recovery upon payment; wipers do not. Incident responders referencing CISA's incident response playbooks treat confirmed wiper activity as a destructive incident requiring immediate isolation rather than a ransomware negotiation scenario.

Federal agencies subject to FISMA must report malware incidents affecting federal information systems to CISA under OMB Memorandum M-20-04, which sets reporting timelines and categorization requirements across all four malware classes. Defense contractors operating under CMMC Level 2 or Level 3 must implement NIST SP 800-171 controls — including malware protection (3.14.2) and system monitoring (3.14.6) — that directly address trojan, spyware, rootkit, and wiper detection obligations. The how to use this endpoint security resource page describes how this provider network is structured to help professionals locate providers addressing these specific threat categories.