Malicious Payload

Last updated:

Malicious Payload

What is a malicious payload?

In a cyber-attack, a payload is the part of the attack that hurts the victim. Like the Greek soldiers hiding inside the wooden horse in the story of the Trojan Horse, a harmful payload can sit quietly for some time until triggered.

Attack vectors such as viruses, wurms, and malware can all have one or more harmful payloads. Harmful payloads can also be in email attachments, in fact Symantec has said that one in every 359 emails in existence has a harmful payload, and this ratio is going up.

How do malicious payloads harm their victims?

Some common examples of how harmful payloads cause harm:

  • Data theft: A very common type of harm is the theft of sensitive information such as login credentials or money information through different forms of data breaches. Activity monitoring: A harmful payload that runs may monitor user activity on a computer, this can be done for spying, blackmail, or to collect consumer behavior that can be sold to advertisers.
  • Showing advertisements: Some harmful payloads work to show constant, unwanted ads such as pop-ups and pop-unders to the victim.
  • Deleting or changing files: This is one of the most serious harms from a harmful payload. Files can be deleted or changed to affect the behavior of a computer, or even disable the operating system and/or startup processes. For example some harmful payloads are made to ‘brick’ smartphones, meaning they can no longer be turned on or used at all.
  • Downloading new files: Some harmful payloads come in very small files that are easy to spread, but once they run they will start the download of a much bigger piece of harmful software.
  • Running background processes: A harmful payload can also be triggered to run processes in the background quietly, such as cryptocurrency mining or data storage.

How are malicious payloads executed?

Attackers must first find a way to deliver the harmful payload onto the victim’s computer. Social engineering attacks and DNS hijacking are two common examples of payload delivery methods.

Once a payload is in place, it will usually stay quiet until being run. An attacker can choose from many different ways to run a harmful payload. Some common ways to run a harmful payload:

  • Opening an executable file: For example a victim downloads an email attachment that they think is a piece of stolen software and they click on the installation file which runs the payload.
  • Triggering a specific set of behavioral conditions: This is called a logic bomb. For example, a dishonest employee might put a logic bomb into his company’s network that keeps checking if that employee is still on the payroll. When he is no longer on the payroll, the logic bomb will meet its condition and the harmful payload will be run.
  • Opening certain non-executable files: Even some non-executable files can have harmful payloads. For example there are attacks where harmful payloads are hidden in .PNG image files. When a victim opens these image files, the payload is run.

How to stop malicious payloads

Malicious payloads can be distributed and executed in many different ways, so there is no easy solution to prevent them. Besides being careful of phishing scams and other social engineering attacks, you should always take security precautions when you download files or receive any data from the Internet. A good general rule is to scan every downloaded file for viruses, even if it seems to come from a reliable source.