· 6 min read · Updated on: February 10, 2026

The Inevitable Traces of Malware

Discover how malware always leaves digital footprints, from suspicious files to network traffic patterns. Learn to identify host-based and network-based indicators of compromise (IOC) to detect infections in your system.

I often see people on forums saying: “I uploaded the file to VirusTotal, I’ve already done malware analysis”. Or the classic: “To analyze malware you need to be a genius in Assembly and have 10 years of experience”. The reality is completely different.

Today I learned that malware analysis is not just uploading files to automated tools nor does it require being a movie hacker. It is a methodical process of dissecting malicious software to understand exactly how it works, what it does, and how to detect it. As an experienced analyst says: “Tools can only SEE. Analysts can UNDERSTAND”. And that difference is massive.

The real goal is to find indicators of compromise (IOC), those specific digital footprints that malware leaves and that allow us to detect infections across an entire network, not just in a file.

The Myth of the Digital Ghost

Many people think that malware operates like a ghost leaving no trace, that attackers are so sophisticated they erase all evidence. It’s a lie. The truth is that every action of malware generates detectable artifacts. Malware needs to interact with the operating system, and those interactions leave footprints.

These indicators are divided into two main categories that every analyst must master.

Host-Based Indicators (HBI)

These are the artifacts that remain engraved in the compromised system. Think of them as fingerprints at the crime scene:

  • Files: specific names, exact sizes, unique hashes
  • Binary characteristics: revealing text strings, compiler PDB paths
  • Persistent changes: modified registry keys, new directories, installed services
  • Execution artifacts: mutexes with unique names, processes with anomalous behaviors

File System

Malware needs to write to disk to persist or store stolen data. The most common places are:

User folders with guaranteed permissions:

%APPDATA%\updatesvc.exe
%LOCALAPPDATA%\Microsoft\Windows\winlogon.exe
%TEMP%\svchost.exe

System file impersonation:

C:\Windows\System32\kernel32.dll
C:\Windows\System32\drivers\tcpip.sys

The trick of malware is to use similar names to legitimate components but located in incorrect directories. A kernel32.dll in System32 is legitimate. The same file in %APPDATA% is highly suspicious.

Persistence via Registry

Malware needs to survive system reboots. If malware only runs once and disappears after a reboot, it is practically useless to the attacker. That’s why the most abused keys are:

User autorun:

HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run

System services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

These keys make malware run automatically every time Windows starts. It’s so effective that practically all malware uses at least one of these locations. When you do analysis, these are the first keys you check.

Mutex (the duplicate lock)

Mutexes (mutual exclusion objects) are operating system structures that act as “locks” to prevent the same program from running multiple times simultaneously. Why does malware use mutexes?

  • Prevents resource conflicts (two instances trying to use the same file)
  • Avoids detection due to anomalous CPU/memory usage
  • Stops the user from “curing” the infection by running the malware repeatedly

Real example:

Global\4cafb85112364d776a04862aaa4371a0

Why are they excellent indicators? Because these names are specific to each malware family. If you find that exact mutex on 10 different systems, it is almost certain that:

  1. They are all infected with the same variant
  2. They come from the same attacker or campaign
  3. You can create a detection rule with 99% confidence

Mutexes are like digital signatures that malware authors cannot easily change without recompiling and redistributing everything.

Network-Based Indicators (NBI)

Contrary to the myth that “malware only infects your PC”, most modern malware needs to communicate with external servers. Why? Because attackers need to:

  • Send commands to the malware (C2 - Command and Control)
  • Receive stolen information (exfiltration)
  • Download additional modules (post-exploitation)
  • Update the malware remotely

Network-based indicators include:

  • Domains and IP addresses of C2 servers
  • Specific protocols and unusual ports (not just port 80/443)
  • Revealing HTTP headers: User-Agent of outdated browsers, Cookies with unique patterns, Suspicious Referers
  • Data structures with specific signatures in the traffic (magic bytes, unique delimiters)

HTTP Communication

HTTP is one of the most common protocols for C2. Why do attackers prefer it?

  1. It blends with legitimate traffic (hard to distinguish from normal browsing)
  2. It is rarely blocked by corporate firewalls
  3. It allows standard methods like GET/POST to exfiltrate data without raising alarms
  4. It works on practically any network (even with restrictive proxies)

The anatomy of a malicious request:

httpscheme://example.comhost/payload.phppath?id=...query\underbrace{\texttt{http}}_{\text{scheme}}://\underbrace{\texttt{example.com}}_{\text{host}}/\underbrace{\texttt{payload.php}}_{\text{path}}?\underbrace{\texttt{id=...}}_{\text{query}}

Each component can be an indicator:

  • Host: example.com (C2 domain)
  • Path: /payload.php (specific endpoint)
  • Query: id=974eb60d... (victim identifier, encoded command, or session)

NBI - User-Agent as an indicator

The HTTP header User-Agent identifies the client: browser, version, operating system. It is information that the web server uses to tailor content.

Example of a legitimate User-Agent in 2026:

`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/130.0.0.0`

Example of a malware User-Agent:

`Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1`

If you see this User-Agent in 2026, it is highly suspicious. Why?

  • Firefox 40 was released in August 2015 (11 years ago)
  • Windows NT 6.1 = Windows 7 (support ended in 2020)
  • WOW64 indicates a 32-bit process on a 64-bit system (increasingly uncommon)

A corporate updated system in 2026 would never use this browser. It is a hardcoded User-Agent by the malware author who:

  1. Didn’t bother to update it
  2. Copied it from an old tutorial
  3. Uses the same one in multiple campaigns (becomes a signature) Pro tip: When you find a suspicious User-Agent, search for it on Google in quotes. You will often find reports of the same malware family.

Combining HBI and NBI: The complete picture

Expert analysts don’t look for isolated indicators. They look for patterns that connect HBI with NBI:

Typical scenario:

  1. HBI: File %APPDATA%\updater.exe
  2. HBI: Modified Run registry key
  3. HBI: Mutex Global\UpdaterMutex123
  4. NBI: HTTP connection to update-server.xyz
  5. NBI: User-Agent of Firefox 40

When you find all these indicators together, you can:

  • Confirm that it is the same malware family
  • Create detection rules in EDR/SIEM
  • Scan the entire network for these patterns
  • Block the domain in the firewall
  • Generate YARA signatures

Malware analysis doesn’t start by running anything. It starts by understanding what footprints to look for. Indicators of compromise are the universal language of malware: HBI tells you what happened on the system, NBI tells you who it talked to.

And the best part: you can start hunting these indicators right now, without needing years of experience. You just need to know where to look.

Automated tools will tell you “this is malicious.” An analyst understands why, how it works, and how to detect all similar variants in your network.

Next in the series: Static analysis - how to extract IOCs without running anything