February 10, 2023 By Jennifer Gregory 3 min read

You’re likely familiar with the names of common malware strains such as MOUSEISLAND, Agent Tesla and TrickBot. But do you know how new malware threats get their names?

As a cybersecurity writer, I quickly add new strains to my vocabulary. But I never knew how they came to have those names in the first place. After writing numerous articles on malware, I decided to dig deep into the naming conventions to shed some light on that question. As it turns out, a name can tell you a lot about the malware itself — but it can also sow some confusion.

Threat group names

First, let’s talk about the difference between group names and malware strain names since they often intertwine and sometimes impact each other. With a one-hit-wonder group or a group with no known name, occasionally, the malware shares the group name. However, in most cases, there is a unique name for both the group and the malware.

You can often learn a lot about a group from its name. Group names often reference the nation-state associated with the group, such as Bear for Russia and Panda for China. The name often reflects the group’s motivation as well. “Spider” in the name means that money motivates a group, and “Jackals” refer to hacktivists.

A few common naming conventions

Now let’s get back to the question of how malware strains themselves are named. The short answer is that strains are named in several different ways. Of course, there are always outliers that get their names in a totally different way, so these are just common examples.

Typically if a cyber criminal doesn’t name their strain themselves, a cybersecurity researcher creates the name. The primary researcher of the strain or attack will usually come up with the name, and they sometimes assign one that seems random — but there is usually a pattern or at least some loose methodology.

And yes, that has led to many issues — especially misidentification and misnaming. Without an industry-wide database that lists the official names of all strains, some strains even end up with multiple names. Because many strains turn into families, researchers and the media must use consistent naming conventions. Otherwise, these labels can cause confusion when experts most need clarity.

6 common ways malware strains get their names

1. Target of the attack

Sometimes the simplest (and most notable) thing about a strain is what the attack is trying to disrupt. For example, the Olympic Destroyer malware got its name because it was trying to shut down the Winter Olympics systems in South Korea in 2018.

2. Computer Antivirus Research Organization (CARO) conventions

Sometimes malware strains have both a formal name and a nickname, just like people. In many cases, we never know or use the name researchers use formally — or the one their mom uses when they’re in trouble. The CARO creates the name based on the strain’s type, platform, family, variant and suffix. Companies such as Microsoft and CrowdStrike often stick to formal names.

3. Unique aspects of the attack

When researchers were studying the HeartBeat malware strain, they noticed an echoing sound that mimicked a heartbeat, which coined its name. Meltdown got its name because of what the attack did: break the isolation between applications and the operating system, which opens up the network to attacks leading to a meltdown.

4. Variant of the threat

Malware often has many strains. And since each strain can vary in significant ways, we need to be able to differentiate between them. This is when the suffix of the CARO name comes into play. The suffix also suggests how the variant is used.

5. Cyber criminals

Sometimes the threat actors themselves name the strain when they take credit for the malware. Other times, the name is integrated into the attack, such as in the case of WannaCry. Some groups actually create logos for their strains for marketing purposes.

6. Functionality

The action of the malware is sometimes the reason behind the name, such as Banker or Downloader. In some cases, that functionality combines with another descriptive word to distinguish it from other strains.

Malware naming conventions can be confusing. But by understanding a bit about common origins, you get a head start on knowing about the strain from the first time you hear the name.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today