Malware stacking is when multiple types of malware are installed on a victim’s device, often in layers, during a single attack. For example, an initial piece of malware—like a trojan or exploit kit—might install a backdoor, which then downloads ransomware, spyware, or cryptominers. Each layer serves a different purpose, making the attack more damaging and harder to remove. Attackers use stacking to maximize profit, maintain long-term access, or overwhelm defenses. It’s a common tactic in complex or targeted cyberattacks.
A well-known example of malware stacking is the Emotet botnet campaigns:
Emotet → TrickBot → Ryuk
- Emotet: Initially spread via phishing emails, Emotet acted as the entry point. It infected systems and established a foothold.
- TrickBot: Emotet then downloaded TrickBot, a banking trojan that also acted as a backdoor, harvesting credentials and mapping the network.
- Ryuk: Finally, TrickBot paved the way for Ryuk ransomware, which encrypted files across the network and demanded payment.
Each stage stacked a different type of malware—spreader, data thief, and ransomware—creating a highly effective, multi-layered attack. This combo caused massive disruptions in governments, hospitals, and businesses around the world.