Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber Security Malware
Cyber Security

Malware

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Cyber Security

Malware is software intentionally designed to compromise confidentiality, integrity, or availability. It may steal data, encrypt systems, disrupt operations, or create persistence for later abuse, often by blending into normal user or system activity.

Expanded Definition

Malware is a broad umbrella term for hostile code that is introduced to a device, server, endpoint, or workload to alter normal behaviour for an attacker’s benefit. In practice, it includes many forms such as ransomware, spyware, worms, trojans, backdoors, keyloggers, and wipers, but the defining feature is intent: the code is designed to compromise confidentiality, integrity, or availability. Security teams often distinguish malware from adjacent concepts such as phishing, which is a delivery method, or exploit kits, which are tools used to trigger a vulnerability. Definitions vary slightly across vendors and incident response teams, but the operational meaning is consistent enough to support detection, containment, and recovery work. Guidance from CISA malware guidance and the CIS Controls v8 both reinforce the need to treat malware as a lifecycle problem, not a single file type or signature. The most common misapplication is calling any suspicious attachment “malware” before confirming whether the payload actually executed or established persistence.

Examples and Use Cases

Implementing malware defence rigorously often introduces friction, because stronger inspection, restriction, and isolation controls can slow legitimate work and create more alerts for analysts to review.

  • Ransomware encrypts files and systems, then demands payment. Response depends on containment, offline backups, and verified restoration procedures, not just endpoint blocking.
  • A banking trojan silently intercepts credentials and session data. Teams often detect it through unusual process behaviour, credential abuse, or suspicious outbound traffic rather than by file name alone.
  • Worms self-propagate across networks by exploiting exposed services. Network segmentation and patch hygiene are essential because a single compromised host can become a launch point.
  • Spyware or stalkerware collects sensitive activity data over time. This matters in both enterprise and identity contexts because stolen secrets, tokens, and browser sessions can be reused elsewhere.
  • Agentic workloads can also be targeted by malware that steals API keys, model access tokens, or cloud credentials from execution environments, showing why OWASP guidance on software abuse is increasingly relevant to AI-enabled systems.

Malware analysis is often paired with indicators such as hash values, persistence paths, command-and-control traffic, or dropped files, but no single indicator is sufficient on its own. Incident responders usually need multiple signals before they can attribute behaviour confidently.

Why It Matters for Security Teams

Malware remains important because it turns ordinary systems into attacker-controlled infrastructure, which can quickly cascade into identity compromise, data theft, and business disruption. For security teams, the challenge is not only detection but also limiting what compromised code can touch once it runs. That is why layered controls such as application hardening, email filtering, least privilege, segmentation, and recovery planning matter together rather than in isolation. Malware also intersects with identity security because many campaigns aim to steal secrets, tokens, or session material instead of simply damaging files. In that sense, a compromised endpoint can become a credential harvesting platform, which then undermines IAM, PAM, and NHI controls downstream. The NIST Cybersecurity Framework and MITRE ATT&CK help teams organise malware detection and response around functions, techniques, and recovery paths, while Zero Trust Architecture reduces the blast radius when prevention fails. Organisations typically encounter the full impact of malware only after a workstation, server, or automation account is already misused, at which point malware containment becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST AI RMF and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CMThe CSF treats malware detection as part of continuous security monitoring.
NIST SP 800-53 Rev 5SI-3SI-3 covers malicious code protection and response requirements.
ISO/IEC 27001:2022A.8.7ISO 27001 includes malware protection as a core operational control.
NIST AI RMFAI RMF applies where malware targets AI systems, models, or supporting data pipelines.
NIST Zero Trust (SP 800-207)5.1Zero Trust limits blast radius when malware compromises a host or account.

Assess malware exposure across AI workflows and add controls for model, data, and toolchain compromise.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org