Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Malware Family Classification

Training Camp • Cybersecurity Glossary

What is Malware Family Classification?

Grouping malicious software by shared code, behavior, and infrastructure to attribute samples, speed detection, and apply known mitigations.

Glossary > Threats, Malware & Attacks > Malware Family Classification

Malware Family Classification — Grouping malicious software by shared code

Understanding Malware Family Classification

Malware family classification is the practice of grouping malicious software samples into families based on shared code, behavior, infrastructure, and origin. Variants that descend from the same codebase or toolkit, such as multiple versions of Emotet or TrickBot, are clustered together so analysts can recognize a new sample quickly and apply mitigations already known to work against the family.

Classification relies on static and dynamic analysis. Static methods compare code structure, strings, imports, and fuzzy hashes (for example ssdeep or import hashing), and pattern-matching with YARA rules. Dynamic analysis runs samples in a sandbox to observe behavior, persistence, network callbacks, and command-and-control patterns. Analysts also map techniques to MITRE ATT&CK and correlate indicators with threat-intel feeds. Naming is inconsistent across vendors, which is why initiatives like the Malware Attribute Enumeration and Characterization (MAEC) language and shared platforms aim to standardize descriptions.

For security operations, family classification accelerates detection and response. Once a sample is tied to a known family, defenders can deploy existing signatures, hunt for the family's typical indicators of compromise, anticipate its next actions (data theft, ransomware deployment, lateral movement), and attribute activity to a threat actor. Without classification, every sample is treated as novel, wasting analyst time and slowing containment.

For example, a SOC receives an unknown executable from an endpoint alert. Detonating it in a sandbox reveals it injects into legitimate processes, beacons to a known C2 domain, and matches a YARA rule for the QakBot banking trojan. Classifying it as QakBot immediately tells responders that it commonly drops follow-on ransomware and spreads via SMB, so they isolate the host, block the C2 infrastructure, and proactively hunt for lateral movement across the network rather than investigating the single file in isolation.

Learn More About Malware Family Classification:

Ready to Get Certified?

Malware Family Classification is one of the topics you'll master in the CEH Boot Camp.

CEH Boot Camp →