Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Grouping malicious software by shared code, behavior, and infrastructure to attribute samples, speed detection, and apply known mitigations.
Malware Family Classification Definition: Grouping malicious software by shared code, behavior, and infrastructure to attribute samples, speed detection, and apply known mitigations.
Malware family classification is the practice of grouping malicious software samples into families based on shared code, behavior, infrastructure, and origin. Variants that descend from the same codebase or toolkit, such as multiple versions of Emotet or TrickBot, are clustered together so analysts can recognize a new sample quickly and apply mitigations already known to work against the family.
Classification relies on static and dynamic analysis. Static methods compare code structure, strings, imports, and fuzzy hashes (for example ssdeep or import hashing), and pattern-matching with YARA rules. Dynamic analysis runs samples in a sandbox to observe behavior, persistence, network callbacks, and command-and-control patterns. Analysts also map techniques to MITRE ATT&CK and correlate indicators with threat-intel feeds. Naming is inconsistent across vendors, which is why initiatives like the Malware Attribute Enumeration and Characterization (MAEC) language and shared platforms aim to standardize descriptions.
For security operations, family classification accelerates detection and response. Once a sample is tied to a known family, defenders can deploy existing signatures, hunt for the family's typical indicators of compromise, anticipate its next actions (data theft, ransomware deployment, lateral movement), and attribute activity to a threat actor. Without classification, every sample is treated as novel, wasting analyst time and slowing containment.
For example, a SOC receives an unknown executable from an endpoint alert. Detonating it in a sandbox reveals it injects into legitimate processes, beacons to a known C2 domain, and matches a YARA rule for the QakBot banking trojan. Classifying it as QakBot immediately tells responders that it commonly drops follow-on ransomware and spreads via SMB, so they isolate the host, block the C2 infrastructure, and proactively hunt for lateral movement across the network rather than investigating the single file in isolation.
Malware Family Classification is one of the topics you'll master in the CEH Boot Camp.
CEH Boot Camp →