by The Computing Australia Group | Run as a standard user,
not admin, for daily use.
Trojans remain one of the most common ways attackers gain an initial foothold in a device or business network—often as the “first step” that later enables credential theft, data exfiltration, ransomware, and long-term remote access.
This guide breaks down what a Trojan is, how it works in 2026’s threat landscape, the most common Trojan types, warning signs, and—most importantly—how to defend your home or business against Trojan-based attacks using modern best practices and the ACSC Essential Eight (highly relevant for Australian organisations)
What Is a Trojan Horse?
A Trojan horse is a program that appears useful or harmless, while secretly performing malicious actions—often by taking advantage of the permissions you (or your device) grant it when you run it.
Is a Trojan a “virus”?
Why attackers love Trojans
A Trojan is often a delivery vehicle:
- It can install additional malware (like ransomware or spyware)
- It can create a backdoor for future access
- It can steal credentials and session cookies
- It can enroll devices into botnets
- It can quietly surveil users and systems over time
How Trojans Work: The Modern Infection Chain
While the “look legitimate → run it → get compromised” idea still holds, modern Trojans typically follow a well-worn chain of events:
1) Delivery: how it reaches you
Common delivery paths include:
- Phishing emails (attachments, invoices, shared documents)
- Malicious links via SMS (“smishing”), social media, Teams/Slack-style messages
- Fake software updates or fake security alerts
- Cracked software / keygens and shady download sites
- Malvertising (malicious ads) and drive-by downloads
- Compromised third-party software (supply chain risk)
Email and social engineering remain major initial access vectors for ransomware and data theft campaigns—many of which begin with a Trojan-style payload.
2) Execution: the user (or system) runs it
This can look like:
- Opening a “.docm” or “.xlsm” file and enabling macros
- Running an installer that “looks normal”
- Approving a permissions prompt
- Launching a fake “PDF reader update”
Microsoft specifically notes that VBA macros have been widely abused to gain initial access for malware and ransomware—hence changes to block macros in files from the internet by default.
3) Persistence: it makes itself hard to remove
Once installed, a Trojan may:
- Add startup items / scheduled tasks
- Create registry run keys (Windows)
- Drop additional components into obscure folders
- Blend into legitimate processes
Modern RATs (Remote Access Trojans) often prioritise stealth and persistence so they can remain in an environment longer and extract more value.
4) Command-and-control (C2): it “phones home”
Many Trojans connect to attacker-controlled infrastructure to:
- Receive instructions
- Download additional payloads
- Exfiltrate data
5) Actions on objectives: the real damage
Depending on the attacker’s goal, that may include:
- Credential theft (passwords, tokens, browser data)
- Banking fraud
- Crypto wallet theft
- Lateral movement inside a business network
- Ransomware deployment and extortion
Common Types of Trojans (and What They Do)
Below are Trojan categories you’ll still see referenced—plus the modern equivalents your security team is likely tracking.
Backdoor Trojans
Remote Access Trojans (RATs)
Banker Trojans
Built to steal financial credentials (online banking, payment apps, card data). Many “banking trojans” have evolved into broader loaders and botnets used to deliver other malware—QakBot is a widely cited example of this evolution.
Downloader / Loader Trojans
Rootkit Trojans
Rootkits are meant to hide malware activity and evade detection. They can interfere with security tools and conceal malicious processes.
DDoS Trojans
Used to join infected machines into coordinated attacks against targets (websites/services), flooding them with traffic.
Infostealers (modern “credential theft” Trojans)
These focus on:
- Browser passwords and saved payment data
- Session cookies (to bypass MFA in some scenarios)
- Password manager data (if the vault is accessible)
- Screenshots, clipboard, and autofill information
Email / Contact Harvesters (e.g., “mailfinder” behaviour)
Designed to exfiltrate address books and email contacts to fuel spam, phishing, and business email compromise attempts.
Mobile Trojans (including SMS Trojans)
On mobile devices, Trojans may:
- Abuse accessibility permissions
- Overlay fake login screens
- Intercept SMS messages (including OTPs)
- Send premium SMS messages
Signs Your Device or Network Might Be Infected
Trojans don’t always announce themselves. Many aim to be quiet. Still, common red flags include:
On a personal device
- Noticeable slowdowns, overheating, frequent crashes
- New programs you don’t remember installing
- Browser redirects, strange extensions, or changed homepage/search engine
- Repeated login prompts, locked accounts, suspicious password reset emails
- Antivirus disabled “mysteriously” (a big warning sign)
In a business environment
- Unusual outbound network traffic (especially to rare domains/IPs)
- Multiple failed logins, new admin accounts, or unexpected privilege changes
- Security logs showing PowerShell misuse or suspicious scheduled tasks
- Devices communicating with external hosts at odd hours
- Unapproved remote tools installed
If you suspect a Trojan, don’t rely on “Google the weird process name” alone. Attackers often mimic legitimate names. Treat symptoms as a cue to investigate properly.
For individuals
1. Disconnect from the internet(Wi-Fi off / unplug Ethernet).
2.Don’t log in to banking or email from the suspected device.
3. Run a full scan with reputable security software.
4. Update your OS and apps from official sources only.
5. From a clean device, change passwords for:
- Email (highest priority)
- Banking
- Apple/Google/Microsoft account
-
Password manager
Turn on MFA where possible.
1. Isolate the endpoint(EDR network isolation if available).
2. Preserve evidence (don’t wipe immediately if you need forensics).
3. Check for:
- Persistence mechanisms
- Lateral movement
- Credential theft indicators
4. Reset credentials that may be compromised (especially privileged accounts).
5. Review backups and recovery readiness.
6. If ransomware is suspected, align response to established guidance (e.g., incident checklists and response playbooks).
How to Protect Yourself From Trojans: Modern Defence That Actually Works
1) Patch operating systems and applications (fast)
Practical tips:
- Enable automatic updates for OS and browsers
- Maintain a patch cadence for third-party apps (PDF readers, Java, runtimes)
- Remove unsupported software entirely
2) Use multi-factor authentication (MFA) everywhere possible
MFA reduces the damage of credential theft—one of the most common Trojan outcomes. ACSC includes MFA in the Essential Eight for a reason.
Even better:
- Prefer authenticator apps or hardware keys over SMS where feasible
- Protect admin accounts with stronger requirements than normal users
3) Block risky macro behaviour and harden user apps
Office macros have historically been a common Trojan delivery mechanism. Microsoft has moved to block macros from the internet by default in Office to reduce this risk.
For businesses:
- Enforce macro policies (only allow signed macros where needed)
- Harden browsers (limit extensions, enforce safe browsing)
- Disable unnecessary features that expand the attack surface
This maps closely to Essential Eight controls like restrict Microsoft Office macros and user application hardening.
4) Apply least privilege and restrict admin rights
Many Trojans do more damage when they get admin privileges. Reducing admin access limits:
- Persistence options
- Ability to disable security tools
- Lateral movement opportunities
ACSC explicitly includes restrict administrative privileges as an Essential Eight strategy.
5) Use application control (stop unknown executables)
Application control can prevent many Trojan payloads from ever running. It’s a cornerstone mitigation in the Essential Eight.
If you’re a Microsoft environment, this often means implementing tools/policies that restrict execution to approved applications (paired with strong endpoint protection).
6) Maintain secure, testable backups
Trojans often pave the way for ransomware. Backups aren’t just “nice to have”—they’re critical resilience.
Best practices:
- Keep at least one backup copy offline/immutable
- Test restores (don’t assume backups work)
- Separate backup credentials from day-to-day admin accounts
Essential Eight includes regular backups as a key mitigation.
7) Strengthen email and web filtering
Since many Trojans arrive via phishing, invest in:
- Email filtering with attachment sandboxing
- URL rewriting / safe link scanning
- DNS filtering to block known malicious domains
The #StopRansomware guidance groups prevention recommendations around common initial access vectors like phishing and exposed services—reducing initial access reduces Trojan success rates.
8) Use endpoint detection and response (EDR) + monitoring
Modern Trojans can be modular and stealthy. Logging and detection matter:
- EDR with behavioural detection (not just signatures)
- Centralised logs (SIEM) for alerting and investigation
- Alerts for suspicious persistence and credential dumping behaviour
9) Train staff for realistic threat behaviour
Because Trojans often rely on social engineering, invest in:
- Phishing simulations
- “Pause and verify” culture
- Clear reporting paths (“If you clicked it—tell IT immediately, no blame”)
Trojan Defence Checklist (Quick Win Version)
If you want an actionable list you can implement quickly:
- Patch OS and third-party apps (automate where possible)
- Enforce MFA (especially for email + admin accounts)
- Block or tightly control Office macros
- Remove local admin rights from standard users
- Implement application control/allowlisting
- Deploy EDR and centralise logs for visibility
- Filter email + web traffic; block risky attachments by policy
- Back up data securely and test restores
- Maintain an incident response plan aligned to recognised guidance
Staying vigilant, being aware of the latest threats, and a sound security system can help protect yourself from Trojans. Speak to our cybersecurity specialists today and let us help your business stay safe and secure. Contact us or email us at cybersecurity@computingaustralia.group.
Jargon Buster
Distributed Denial of Service attack – DDoS – Hackers crash a website or computer by overwhelming the website or server with too many requests or traffic.
Firewalls – is a network security system that observes and manages incoming and outgoing network traffic based on a predetermined set of rules.
Malware – is any malicious software intentionally designed to cause damage to a computer, server or network—Eg. Ransomware, Spyware etc.
FAQ
What’s the difference between a Trojan and ransomware?
A Trojan is often the delivery method; ransomware is often the payload/outcome. Many ransomware attacks start with a Trojan foothold.
Can Trojans steal data even if I have MFA?
Sometimes. Trojans may steal session tokens/cookies or capture data after login. MFA still dramatically reduces risk, but it’s not the only control you should rely on.
Are Trojans only a Windows problem?
Windows is a frequent target due to prevalence in business, but Trojans also exist for macOS, Linux, Android, and iOS—especially through deceptive apps, phishing, and credential theft.
How do Trojans stay hidden?
Some use rootkit techniques, live-off-the-land tools, obfuscation, or modular components to evade detection and persist.
What’s the best single defence against Trojans for Australian businesses?
If you had to pick one framework to drive real risk reduction, implementing the ACSC Essential Eight to an appropriate maturity level is one of the most practical, high-impact approaches.
