Malware 101: a comprehensive guide

Malware isn’t what it used to be. It’s no longer about breaking things or stealing files. Today, it’s the silent enabler of financial fraud, crafted to operate inside real banking sessions, in real time, without triggering a single alert.

The problem is that most fraud and security tools don’t look beyond the login. They’re not built to understand what’s happening inside the session. And that’s exactly where today’s attacks live.

This article breaks down how malware evolved into a tool for session hijacking, why traditional defences aren’t enough, and how Cleafy gives fraud teams the visibility they need to act before money leaves the account.

The myth of the breach

Malware (short for malicious software) is any programme or file intentionally designed to disrupt, damage, or gain unauthorised access to a computer system. It’s the digital equivalent of a parasite; covert, adaptive, and potentially devastating.

In banking and financial services, malware presents a unique risk. Criminals aren't just chasing data; they’re chasing money and the systems that move it. Malware can manipulate transactions in real time, steal credentials, or simply lock an organisation out of its systems until a ransom is paid.

With the average cost of a data breach in the financial services industry exceeding USD 6.08 million in 2024, compared to USD 4.88 million for all industries, understanding malware is everyone’s concern.

Malware is just how attackers get in. The real damage happens later, during the session, in full view of your systems. But because it mimics normal user behaviour, almost nothing flags as suspicious.

Your fraud tools? They’re watching for bad devices, dodgy IPs, or weird logins. Not what malware does once it’s in.

And that’s where most fraud happens.

Malware was never the goal. Fraud is.

“Malware moves through networks like rumours through offices – quietly, persistently, gathering reach.”

It doesn’t want attention. It wants access. Because the real business is fraud.

A quick history with intent as the lens:

• 1970s-80s: Experimental code like ANIMAL replicates itself; not malicious, just curious.
• 1990s: Macro and boot-sector viruses like Melissa and Michelangelo make headlines, disrupting business.
• 2000s: Worms like ILOVEYOU and Code Red cause chaos at scale. Ransomware enters the picture.
• 2010s–now: Malware gets specific. Banking trojans like Zeus, Dridex, and Cleafy-discovered variants like Sharkbot and ToxicPanda are built to steal funds,not data.

What malware does (and your systems don’t see)

A modern banking malware attack isn’t just infection. It’s orchestration.

Malware today:

• Alters what users see on their screens (web injection)
• Intercepts browser traffic in real time (man-in-the-browser)
• Takes control of active sessions (session hijacking)
• Bypasses MFA, because the user already authenticated
• Fools your systems by behaving just like your users

One infection can log credentials, reroute payments, inject fake forms, and exfiltrate everything, without ever triggering your SIEM.

And since most of this mimics legitimate use, static rules, device scoring, and traditional fraud tools miss it completely.

Inside the malware lifecycle (with a fraud lens)

Here’s how attackers weaponise access:

1. Social engineering – Phishing, SMS spoofing, fake apps
2. Dropper and delivery – Often using known malware kits or MaaS platforms
3. Obfuscation – Encrypted, packed, designed to evade analysis
4. Fileless execution – Nothing hits disk, runs in memory via PowerShell or scripts
5. Command and Control (C2) – Communication back to attacker
6. Session manipulation – Credential theft, fake fields, fund redirection, full control

This is no longer a technical exploit chain. It’s a fraud workflow.

Static tools are blind beyond the login

Fraud teams today rely on behavioural biometrics, rules engines, endpoint detection, device fingerprinting.

All useful. All necessary. But none are built to detect what happens inside the session. None can flag real-time manipulation once malware is active and the user is logged in.

That’s where the fraud happens. 

Cleafy isn’t an add-on. It’s the missing layer.

We monitor the live session, even before login when users open a banking app or web application.

This means we can detect:

• Web injections and fake forms
• Session hijacking and credential harvesting
• Malware behaviour (not just signatures)
• Intent, not just indicators

We track everything in-session, without relying on device trust or known IOCs.

SuperCardX

• Hidden mobile malware hijacking banking sessions via accessibility abuse
• Traditional EDRs missed it completely
• Cleafy mapped the live session and flagged unauthorised activity
• Fraud blocked before execution

DroidBot

• Malware behaving like a human, simulating sessions via automation
• Analysts overwhelmed with false positives
• Cleafy identified session anomalies linked to automation
• Fraud team reduced investigation time by 80%

ToxicPanda

• Malware injecting fake screens into banking apps
• Customers thought they were transferring money to themselves
• Cleafy detected screen manipulation in real time
• Prevented losses in the millions across LATAM banks
  ‍

Malware isn’t just a cbyersecruity issue, it’s a fraud problem that starts after the log-in, where most tools stop watching.

Cleafy is different. We don’t just detect malware. We expose threats that were built to hide, seeing what others miss.

You already have tools that look for signals of fraud. Cleafy reveals more than scattered signals. It gives you the full context, to stop threats from resulting in fraud before money moves. Our customers don’t have to choose between frictionless UX or strong security, alert volume or accuracy, fraud visibility or operational cost. They get all of it, with faster time to value, and no need to train models for six months before seeing results.