Malware Evolution: From Infection to Persistence

One‑page, ink‑saving explainer: how a threat can sneak in (Trojan), spread (Worm), hide (Rootkit), strike (Ransomware), and stay (Botnet/C2).

Malware Lifecycle Diagram Five stages with arrows: Trojan Infection, Worm Propagation, Rootkit Concealment, Ransomware Payload, Botnet Persistence. 1. Infection Trojan / phishing / USB Payload loader 2. Propagation Worm self‑replication Network scanning 3. Concealment Rootkit / driver hook Disable defenses 4. Payload Ransomware / exfil Impact actions 5. Persistence Botnet / C2 / backdoor Lateral movement

1. Infection (Trojan)

How it gets in.

  • Delivery: phishing, fake installers, USB autorun.
  • Technique: user opens file; initial loader drops components.
  • Assume → Action: unknown file → don’t run / scan first.

2. Propagation (Worm)

How it spreads.

  • Scans subnets; exploits weak creds or unpatched services.
  • Copies to shares/USB; schedules itself to run.
  • Assume → Action: traffic spike → isolate network.

3. Concealment (Rootkit)

How it hides.

  • Installs kernel/user‑mode hooks; masks files & processes.
  • Disables AV/EDR; tampers with logs.
  • Assume → Action: anomalies → boot‑time scan / offline IR.

4. Payload (Ransomware / Exfil)

How it hurts.

  • Encrypts files, destroys backups, or exfiltrates data.
  • Demands payment; may double‑extort with leaks.
  • Assume → Action: detect early → kill process, cut C2.

5. Persistence (Botnet / C2)

How it stays.

  • Maintains access: services, tasks, registry, implants.
  • Becomes a bot: listens to commands, mines crypto, DDoS.
  • Assume → Action: reimage, rotate creds, patch, segment.