- Trojans can spy on you, gain remote control of your device, steal your credentials, and use those credentials to steal your money.
- The first trojan virus was a game called ANIMAL.
- Trojan viruses work, not by forcing their way onto your device, but by weaponizing your own actions against you.
- Spotting a modern trojan is easier said than done. Attackers hope you never learn the red flags of a trojan infection.
- To get rid of a trojan, the conventional advice is to scan with device security software or behavioral-based antivirus tools. Learn why this may not be nearly enough.
- Prevent trojans from stealing your data (and money): Use LastPass FIDO2 MFA, the gold standard for phishing resistant MFA for all your accounts.
A trojan virus hides inside trusted software, quietly stealing your files and passwords. And removing it is a layered process.
But what does that mean for you?
After all, today’s trojans are anything but predictable. Take SocGholish. In December 2025, Kaiser Permanente employees who clicked on a Google Search ad for their company’s HR portal got an unexpected result.
They were redirected to a fake login page and prompted to update their browser. The unlucky few who complied got their devices infected with SocGholish.
And let’s not forget Agent Tesla, a RAT (remote access trojan) that specializes in collecting keystrokes and browser credentials. In 2024, it infected 6.3% of corporate networks worldwide.
And just this week, French authorities arrested a crew member after discovering a RAT capable of remote system control on a passenger ferry docked in the Mediterranean port of Sete.
The Paris prosecutor’s office suspects the threat actor acted on behalf of a foreign power.
If they’re targeting ferries, they’re targeting you too.
But the good news is: Once you know how trojans work and how to remove them, you’ll never be an easy target again.
What is a trojan virus?
First, let’s define a trojan virus: This is a type of malware that hides inside legitimate files so it can:
- Record your keystrokes
- Steal your passwords and digital wallet credentials
- Use those credentials to transfer money out of your accounts
- Give attackers remote control over your device
Given the threat it presents, who created the first trojan virus?
Good question.
How did the trojan virus start?
The original trojan horse came from Greek mythology. Ancient scholars say the trojan horse could only work as a one-off: It relied entirely on surprise and cunning, diverging from standard military practice.
It was built by Epeius, a Greek master craftsman known for his strength and technical skills. And it was Odysseus himself who proposed using the horse to defeat Troy.
As legend has it, the Greeks left behind one of their soldiers Sinon as a ruse. The wily Sinon suggested that the horse would make Troy invincible.
Laocoon, a Trojan priest, tried to warn his fellow countrymen. “I am afraid of the Greeks,” he said, “even when they offer us gifts.”
Just as Laocoon spoke, Sinon countered with a preposterous story. He told the Trojans that the Greek Army ditched him because he was a threat to Odysseus.
And he shared a delicious secret: The wooden horse was actually an offering of peace to their goddess, Athena. The Greeks made the horse massive, so the Trojans couldn’t bring it into their city; after all, they didn’t want Athena helping the Trojans in any way.
Of course, all of this was a lie. But it was enough (supposedly) to convince the Trojans to drag the wooden behemoth into Troy. When night fell, Sinon let the Greek soldiers out after the Trojans turned in. The rest, as they say, is history.
And here’s the interesting part: Historians can’t agree how many Greek soldiers were in the horse. Some say 30, 50, while others claim 100 or more.
Which brings us to 1975.
That’s when programmer John Walker created ANIMAL, the first digital trojan. ANIMAL was a game of 20 questions that copied itself onto shared directories without overwriting other programs.
Like the original horse, ANIMAL was a visible “gift (fun game) that hid “soldiers” (a helper program called PERVADE replicated ANIMAL across directories without users knowing).
The only difference was that Walker had no malicious intent. He simply wanted to share the game with others.
Not so with our next example, widely considered the first ransomware-style trojan.
In 1989, biologist Dr. Joseph L. Popp mailed 20,000 diskettes infected with the AIDS/PS Cyborg trojan to medical researchers.
Many recipients installed it, believing it to contain free AIDS research. Unfortunately, they missed the fine print: “Warning: Do not use these programs unless you are prepared to pay for them.”
Once installed, the trojan lay dormant until its host computer completed 90 boot cycles. It then encrypted all filenames. And only then did it reveal its true intent: It displayed a “license renewal” ransom demand, asking users to send $189 to a Panama PO box for decryption.
This brings us to an important question.
How do trojan viruses work?
Trojans work, not by forcing their way onto your device, but by voluntary action on your part.
Attackers first use social engineering to get you to download what appears to be a legitimate resource.
The trojan hides inside this resource: It could be an app download, software update, email attachment, or a supposed “antivirus” tool.
Once you click, the trojan can:
- Establish a connection with the attacker’s C2 server
- Download additional malware like keyloggers, infostealers, spyware, or ransomware
- Use stealth techniques like rootkits to hide their presence from your system
- Use DLL injection to inject malicious code and hide itself in legitimate processes
And the worse part? AI has drastically boosted the realism of phishing emails used in social engineering campaigns, helping attackers bypass human suspicion and even Secure Email Gateways (SEG).
In December 2025, StrongestLayer researchers analyzed 2,500 Docusign attacks that bypassed SEGs.
One legal team found itself one click away from a $1.5 million malpractice nightmare after an attorney almost sent privileged documents via Docusign to what appeared to be co-counsel.
And in January 2025, researchers showed how easy it is to manipulate unsuspecting users: They used GPT-4o and Claude 3.5 Sonnet to create hyper-personalized spear phishing emails.
And the CTR (click-through-rate) achieved? A whopping 54%, a KPI that would be the envy of marketing departments worldwide.
What can a trojan virus do?
A modern trojan virus can steal your data, eavesdrop on you, create backdoors for remote access, and install more malware on your device.
And the newest variants can even read your messages and steal your money.
Take, for example, Sturnus. This new Android banking trojan can capture communications from encrypted messaging platforms like Signal, WhatsApp, and Telegram.
And most clever of all: Sturnus doesn’t try to break encryption.
It simply waits until your phone decrypts messages for you to read and then captures them from the screen.
Here’s how it works: Sturnus protects itself by grabbing Device Administrator privileges so it can block any attempt to remove it.
If you open the Settings page to disable permissions, Sturnus detects it and moves you away from the screen. It monitors network conditions, SIM changes, and even signs of forensic investigation – so it can decide how to respond.
Sturnus also employs a keylogging pipeline through Android’s Accessibility Service to record keystrokes: This is how it gets every single password you type.
While transferring money out of your accounts, Sturnus can use a full-screen overlay to black out your screen, so you don’t see anything.
Meanwhile, the Coyote Banking trojan can target over 70 banking apps and cryptocurrency exchanges. Once deployed, it can log keystrokes, capture screenshots, and display phishing overlays to steal credentials.
Now that you know what trojans can do, you may be wondering, “Has this actually happened? Or is this just fearmongering?”
Let’s look at two examples: One that cost victims millions of dollars and another that literally destroyed a country’s nuclear program.
What are examples of trojan viruses?
Two examples of trojans are Emotet and GameOver Zeus.
Let’s start with Emotet. This banking trojan first appeared in 2014.
In 2017, it became even more dangerous: It transformed into a loader, allowing operators to download more malware onto infected machines, such as:
- Banking trojans like Trickbot, Ursnif, and Qbot
- Ransomware like Ryuk and Megacortex
Now, you may be familiar with the term “loader.” But what’s the difference between a loader trojan and dropper trojan?
In a nutshell, a loader (or downloader) must connect to a C2 server to retrieve malware after gaining a foothold. Meanwhile, a dropper contains an embedded payload that executes once the file runs.
At the height of the pandemic, Emotet campaigns spread phishing emails with COVID-19 report attachments. In all, Emotet infected more than 1.6 Million devices and caused hundreds of millions of dollars in damage worldwide.
In 2023, Emotet resurfaced with a new email campaign, delivering malicious documents embedded in Zip files. This is one trojan that refuses to die.
Now, let’s talk about GameOver Zeus.
The creation of Russian cybercriminal Evgeny Bogachev, this trojan was unlike any other of its time.
Instead of relying on a central command server that was easy to disrupt, Gameover Zeus operated like a hydra: every infected device could command others, creating a decentralized network that was a nightmare for law enforcement.
It was take-down proof, until an undercover agent from the Pittsburgh FBI office stepped in.
How was GameOver Zeus taken down?
The Gameover Zeus trojan: Takedown Phase 1
A rumored Kremlin asset, Evgeny Bogachev’s sheer audacity makes him the quintessential Bond villain.
A lover of Bengal cats and leopard-print pajamas, the then 33-year-old Evgeny commanded a digital empire that’s bled (by all accounts) $100 million from banks worldwide.
Security experts Tillmann Werner and Brett Stone-Gross tried to take down Gameover Zeus; after all, they’d cracked lesser botnets before. At the height of the “battle,” both men had 99% of Evgeny’s botnet redirected to their sinkhole.
But they missed a critical layer of GameOver’s source of resilience: a surviving, small subset of infected devices, with a line to Evgeny’s C2 server.
Within two weeks, Evgeny (nicknamed the comically banal “Slavik”) was able to reassemble his peer-to-peer network. The take-down effort of nine (9) months was a miserable failure.
Score: Law enforcement = 0 Bond villain = 1
The GameOver Zeus trojan: Takedown Phase 2
When the head of the FBI’s cyber squad in Pittsburgh, Keith Mularski entered the arena, he saw what others missed:
You don’t fight ghosts with conventional weapons. You’ll lose every time.
A white-hat hacker with the screen name Master Splyntr (a handle inspired by Teenage Mutant Ninja Turtles), Mularski secretly assembled a star team.
It consisted of law enforcement from more than a dozen countries and security experts from Microsoft, CrowdStrike, McAfee, Dell, and more.
And on May 30, 2014, they struck.
Evgeny joined the battle at his leisure, smugly confident at first.
But each time he redirected traffic to new servers and deciphered Pittsburgh’s method of attack, Mularski’s team (which included Werner and Stone-Gross) pivoted.
It was cyber hand-to-hand combat that held everyone enthralled, with a long line of law enforcement gawking over the men’s shoulders.
For four tense hours, Werner and Stone-Gross battled for control. The breakthrough finally came when the men managed to infiltrate Evgeny’s communication channels and turn the distributed network against itself.
Stunned, Evgeny could do nothing on his end.
Score: Law enforcement = 1 Bond villain = 0
Game over.
What happened to Evgeny Bogachev?
Evgeny, however, remains at large, presumably living a charmed life in Anapa, a Russian resort city on the Black Sea.
But his once-feared botnet was never to reassemble again.
Today, he remains the FBI’s most wanted cybercriminal, with a bounty of $3 million on his head. The Kremlin is rumored to be protecting him, and with no extradition treaty between the U.S. and Russia, there’s no telling what Evgeny might be up to next.
Who knows when he’ll restart the game of cat-and-mouse?
Now, let’s look at the rest of the trojan ecosystem threatening your safety.
Backdoor trojans
DoublePulsar is a backdoor used to execute code on compromised systems, allowing for the activation of more malware.
Detected by Microsoft as Trojan:Win32/DoublePulsar, it was a backdoor tool developed by the NSA. At its height, it infected more than 200,000 Windows devices and was implicated, along with EternalBlue, in the May 2017 WannaCry ransomware attack.
Cyber risk modeling firm Cyence puts the potential losses from WannaCry at $4 billion worldwide.
Ransomware trojans
Lockbit is the world’s most prolific ransomware group. In 2024, Europol struck back with Operation Cronos, taking down 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the U.S. and the U.K.
The ransomware group is famous for triple extortion tactics and for using Distributed Denial-of-Service (DDoS) attacks as an additional layer of pressure.
In a revolutionary collaboration between Europol, the Japanese police, the National Crime Agency, and the FBI, there’s now a tool for recovering files encrypted by the LockBit ransomware.
It's called the No More Ransom portal, available for free in 37 languages. So far, 6 million+ victims worldwide have already benefited from No More Ransom, which contains over 120 tools capable of decrypting 150+ types of ransomware.
Infostealers
Infostealer trojans are exploding in 2024 and 2025, snatching billions of credentials to fuel ransomware and account takeover (ATO) attacks.
RedLine dominates, accounting for more than 43% of total infections in 2024, followed by RisePro, StealC, Lumma Stealer, and Meta Stealer.
Costing attackers just $100-$600 monthly with a MaaS (malware-as-a-service) subscription, these trojans stole 2.1 billion credentials in 2024. And infostealers aren’t fading away.
In 2025, new threats are amplifying the peril, turning your device into a gold mine for the Dark Web marketplace. They include:
- The HOOK Android banking trojan with overlay screens to steal your passwords
- The Medusa banking trojan, which can read SMS texts, log keystrokes, capture screenshots, record calls, and make unauthorized transfers after using overlays to steal your banking credentials
- AsyncRAT and Venom RAT, which are also capable of stealing credentials
RATs (remote access trojans)
Imagine a trojan so sophisticated, it can disable top-tier security software like AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro.
This would be Kaolin RAT, deployed by the threat group Lazarus. It handles payload retrieval and DLL loading from C2 servers.
This means it pulls malicious plugin files (DLL) from the attacker’s server to run on your device, letting the attacker steal your data or spy on you.
DLL (dynamic link libraries) are shared toolkits that Windows programs borrow (on demand) to complete system tasks. That’s why they’re called “dynamic.” The Windows programs load them only when needed.
Threat groups like Lazarus swap in malicious DLLs to hide attacks during normal tasks.
Campaigns using this RAT also deploy a rootkit like FudModule as a subsequent payload to enable kernel evasion.
By now, you may be wondering, “What’s the difference between a rootkit and backdoor?”
Good question. Basically, a rootkit infiltrates a device at the kernel level, merging with the operating system to quietly execute malicious code.
Meanwhile, a backdoor is a hidden entry point, which attackers can use to bypass normal authentication processes. Once established, the backdoor can be used to steal data, deploy more malware, or execute remote commands.
Fake AV (antivirus) trojans
Now, picture this: You’re casually browsing when a McAfee alert screams that the Zeus 2020 trojan has been detected on your system. Your heart races and you wonder if you should click.
Trust your gut: Don’t.
The “Zeus. 2020” and “Zeus. 2022” trojan detection alerts are scams.
Here's what happens if you click. You’ll be redirected to a fake McAfee site that runs a bogus scan. This site might display an overly dramatic message like “Your PC is in danger!!! Six viruses have been detected!!” and you’ll be pressured to “Update your software NOW!!!”
If you’re on a Mac, you might see a pop-up that directs you to call a fake support hotline, which exposes you to a tech support scam.
Whatever you do, don’t click. Read on to learn what to do instead.
Note: This scam isn’t related to the actual GameOver Zeus trojan created by Evgeny Bogachev. It just exploits the infamous Zeus name to make the scam alerts more credible.
Can a trojan virus go undetected?
The answer is yes. Many can remain undetected for months or years, depending on their evasion tactics.
For example, the Emotet trojan is a polymorphic Trojan, which means it can modify its code to evade detection.
It can also obfuscate or hide its code.
And it’s virtual machine aware. This means it can detect whether it’s running in a virtual or sandboxed environment and adapt to conceal its presence.
Finally, Emotet can leverage Dynamic Domain Generation algorithms to create random fake domains for the malicious C2 server it’s communicating with. This prevents takedowns of the server.
Other types of trojans that can evade detection include infostealers and remote access trojans (RATs).
How do you know if you have a trojan virus?
While fake “Your device is infected with a trojan” pop-ups can actually install a trojan on your device, modern trojan infostealers like RedLine and Lumma often leave no obvious signs. To spot a possible trojan infection, look for these indirect signs of compromise:
- Your favorite platforms are suddenly sending you alerts about logins from unfamiliar devices and locations.
- You see unexpected system prompts that ask you to enter your passwords.
- You receive notifications that your password has been changed to one or more of your accounts, without your authorization.
- You’re completely locked out of your email, banking, and crypto accounts.
- Your security or antivirus software has been disabled, without you touching it. As mentioned, RAT campaigns involving rootkits like FudModule can do this.
- You see unfamiliar apps in your Windows Task Manager.
- There are charges on your credit card you don’t recognize.
While one or two of the above may have perfectly good causes, combined they signal a disturbing pattern that justifies a closer look.
How can you detect a trojan virus?
Now that you know how to spot them, detecting a trojan virus is easy. Your best bet is to use reputable antivirus tools with email protection and trust your gut instincts.
For example, you visit a website and get prompted to “verify you’re human” by copying a command and pasting it into the Windows Run box.
Remember: This is a top Lumma Stealer delivery method. No legitimate CAPTCHA will ever ask you to download and run files.
How to remove a trojan virus from your devices
Once a Trojan has been detected, removing a trojan from your device requires a layered approach:
Step 1: Boot into Safe Mode
This prevents the trojan from running.
Step 2: Disconnect your device from the internet.
This prevents the trojan from accessing a malicious C2 (command-and-control) server or downloading more files.
Step 3: Run a full system scan.
Run a full scan with Windows Security and Microsoft Defender Offline. Then, reconnect to the internet to download and run the Microsoft Safety Scanner.
Step 4: Get a second opinion
If you regularly frequent consumer forums like Reddit, you may be wondering, “What about using AV (antivirus) tools like Norton or Total AV?
The answer: It can’t hurt. Although Microsoft Security excels at known threats, a second opinion can offer peace of mind.
But there’s a caveat: Although commercial AV tools use similar behavioral heuristics to Microsoft Defender, they can’t reliably protect against infections like Kaolin RAT + FudModule.
And although specialized rootkit scanners have their place, they may also be limited when it comes to DKOM (direct kernel object manipulation) rootkits like FudModule.
In such a case, your best bet is a complete reinstall of your OS from clean media after backing up.
If that feels too intimidating, take your device to a reputable computer repair service or consult with a qualified security professional. Your safety is paramount.
Step 5: Update all software and anti-virus
Update your device to ensure you have the latest versions of all software and anti-virus.
Step 6: Change all your passwords
Even if the infection is gone, remember that trojans like Agent Tesla are credential stealers.
So, if your credentials have been exfiltrated, all your accounts are at risk. Your best bet? Use the LastPass generator to create the strongest passwords possible, based on NIST’s newest guidelines.
Then, lock down your credentials with a free trial of Premium (for individuals), Teams (for startups or entrepreneurs), or Business Max (for any business). No credit card is required for trials because you deserve security that works even when you sleep.
How do you prevent a trojan horse virus?
While it's possible to remove trojans, prevention is better than an ounce of cure, especially when it comes to stealthy threats like Kaolin RAT + FudModule that turn post-infection cleanup into a nightmare.
Here’s how you win with prevention:
- Be paranoid: Don't click unfamiliar links or download attachments you didn’t ask for.
- Set OS, browsers, and antivirus to auto-update. Many infostealers exploit known vulnerabilities that patches fix.
- Never ever run commands from CAPTCHAs. Infostealers like Lumma are often distributed via fake CAPTCHAs.
- Download software from official sources only. Lumma Stealer is often distributed via “cracked” software or pirated apps.
- Get LastPass SaaS Monitoring via Business Max to track every SaaS app login (yes, even Docusign logins). With SaaS Monitoring, you can track the IP address and locations of logins, so you can spot red flags and protect your business.
- Use LastPass FIDO2 MFA to add another layer of security for ALL your accounts.
Sources
Malwarebytes: Malicious ad distributes SocGholish malware to Kaiser Permanente employees
The American Scholar: Bringing in the horse
WIRED: Inside the hunt for Russia’s most notorious hacker
Apple: Remove or delete apps from iPhone
McAfee: How to remove a virus from an iPhone
Norton: How to check for viruses on iPhone
Tech Target: How to detect and fix a jailbroken iPhone
Microsoft: How to start a scan for viruses or malware in Microsoft Defender
Microsoft Learn: Windows Defender Agent Tesla removal
MiniTool: Comparison guide: Windows 10 reset vs clean install vs Fresh Start
Microsoft Learn: Fresh Start versus Reset
Microsoft: Create installation media for Windows
Livewire: Quarantine, delete, or clean: What should you do about a virus?
Europol: Law enforcement disrupts world’s biggest ransomware operation
