How Do Cybercriminals Spread Malware? The 10 Most Common Distribution Methods

Table of Contents

Understanding how malware reaches your system is the foundation of effective defense. Cybercriminals don't create malware just to keep it on their own computers — every piece of malware needs a delivery mechanism to reach its target. Here are the ten most common methods used today.

1. Phishing Emails with Malicious Attachments

Email remains the #1 malware delivery channel. Attackers send emails that appear to come from trusted sources — banks, employers, shipping companies, or government agencies — containing attachments that execute malware when opened.

Common malicious file formats include:
- Office documents (.docx, .xlsx) containing malicious macros
- PDF files exploiting reader vulnerabilities
- JavaScript files (.js) that run directly on Windows
- ISO and IMG disk images that bypass mark-of-the-web protections
- ZIP archives containing executable droppers

Emotet, TrickBot, and Qakbot — three of the most prolific malware loaders — relied almost exclusively on malicious email attachments for years.

2. Malicious URLs in Emails and Messages

Rather than attaching malware directly, attackers embed links to malware download pages. The link may point to:
- A fake login page that also downloads a trojan
- A compromised legitimate website hosting malware
- A cloud storage file (Google Drive, OneDrive, Dropbox) containing a malicious installer

URL shorteners obscure the actual destination. HTML smuggling techniques embed malicious payloads directly in HTML email content, bypassing attachment scanners.

3. Drive-By Downloads

A drive-by download occurs when visiting a website results in automatic malware download without any user interaction beyond loading the page. This is achieved through:

  • Exploit kits (RIG, Magnitude) that test the browser and plugins for known vulnerabilities
  • Malicious JavaScript that exploits browser vulnerabilities
  • Malvertising — malicious ads that redirect to exploit kit landing pages

Even reputable websites can serve drive-by downloads if their advertising networks are compromised.

4. Malvertising

Malvertising (malicious advertising) injects malicious code into legitimate ad networks. When an advertising network serves a malicious ad on a legitimate website, every visitor is potentially exposed.

Unlike compromising a website directly, malvertising doesn't require breaking into the publisher's systems — attackers buy ad space through the same auctions that legitimate advertisers use, then switch the ad creative to a malicious payload.

In 2023 and 2024, malvertising through Google Search ads became a primary distribution channel for infostealers like Vidar, Redline, and Raccoon.

5. Software Bundling and Fake Software Downloads

Legitimate-looking software installers include malware as "optional" components. Victims searching for free software, system tools, game cheats, or software cracks frequently download installers from unofficial sources that bundle malware.

Pirated software is particularly dangerous — a cracked Photoshop installer from a torrent site is a classic malware delivery vehicle. The attacker's distribution costs are zero; the user's desire for free software does all the work.

6. USB and Removable Media

The USB drop attack is a physical social engineering technique where attackers leave infected USB drives in locations where targets are likely to find and use them — parking lots, conference rooms, or public spaces.

AutoRun-based infections are less effective since Windows disabled AutoRun by default, but malware can still spread via USB when users execute files on the drive. Industrial control systems that are air-gapped (not connected to the internet) have been infected via USB — this is how Stuxnet reached Iranian nuclear facilities.

7. Watering Hole Attacks

In a watering hole attack, criminals compromise a website that the target group regularly visits. Instead of attacking the targets directly, they infect the "watering hole" and wait for victims to come to them.

This technique is particularly effective against:
- Industry-specific news sites and forums
- Vendor or supplier portals
- Conference and professional association websites

APT groups frequently use watering hole attacks to target researchers, government employees, and industry professionals.

8. Social Media and Messaging Apps

Direct messages via WhatsApp, Telegram, Discord, and social media platforms are increasingly used for malware delivery. Common scenarios:

  • Discord servers for gaming, NFTs, or crypto that distribute "exclusive tools" containing RATs
  • Telegram channels offering pirated software, cheats, or "investment bots" that are malware
  • Facebook messages from compromised friend accounts containing "video links" that lead to phishing/malware sites

The trust inherent in receiving a message from a known contact makes this approach highly effective.

9. Supply Chain Attacks

Rather than attacking the target directly, supply chain attacks compromise software or hardware that the target uses. The SolarWinds attack (2020) modified the SolarWinds Orion software build process to include a backdoor, which was then distributed to 18,000 customers via legitimate software updates.

The XZ Utils backdoor (2024) involved a sophisticated attacker spending two years establishing trust in the open-source community before inserting a backdoor into a Linux utility used by major distributions.

10. Exploiting Remote Services (RDP, VPN, Exchange)

Exposed remote services are a primary entry point for ransomware groups. RDP (Remote Desktop Protocol) with weak credentials or known vulnerabilities has enabled countless ransomware attacks. Attackers scan the entire internet for open RDP ports and either brute-force credentials or exploit known CVEs.

Similarly, unpatched VPN appliances (Pulse Secure, Fortinet, Citrix) and mail servers (Microsoft Exchange) with known vulnerabilities have been exploited at massive scale.

How to Defend Against All of These

  • Use email security with attachment sandboxing and URL rewriting
  • Keep all software patched and updated
  • Use uBlock Origin to block malvertising and drive-by attacks
  • Download software only from official sources
  • Disable AutoRun for USB media and be skeptical of found drives
  • Use multi-factor authentication on all remote access
  • Monitor for lateral movement after initial compromise

FAQ

What's the most common way ransomware gets in?
Phishing email attachments and exposed RDP services are the two most common ransomware entry points, according to major incident response firms.

Can malware spread through WiFi?
Not directly through WiFi itself, but malware can spread to other devices on the same network once it has infected one system through lateral movement techniques.

Is it possible to get malware just from visiting a website?
Yes — drive-by download attacks can install malware without any clicks if your browser or plugins have unpatched vulnerabilities.

Do all malicious emails have obvious signs of being fake?
No. Sophisticated phishing emails are convincingly realistic, using copied branding, legitimate-looking sender domains, and contextually appropriate content.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: