Dropper
What is Dropper?
DropperMalware whose role is to install ("drop") another malicious payload onto a target system, often after evading initial detection.
A dropper is a delivery component that carries one or more embedded payloads inside its own body and writes them to disk or memory once executed. Unlike a downloader, it does not need to contact the internet for the next stage. Droppers often arrive as macro documents, ISO/IMG containers, signed installers, or trojanized utilities. They commonly include anti-analysis checks, decoy content, persistence setup and process-injection routines before launching the final malware (info-stealer, ransomware, RAT). Defences include email and web filtering, attachment sandboxing, application allow-listing, EDR with behaviour-based detection, and disabling auto-execution of macros and ISO mounting.
● Examples
- 01
Emotet maldocs dropping Trickbot or Cobalt Strike on infected hosts.
- 02
ISO/LNK droppers used by Qakbot to bypass Mark-of-the-Web.
● Frequently asked questions
What is Dropper?
Malware whose role is to install ("drop") another malicious payload onto a target system, often after evading initial detection. It belongs to the Malware category of cybersecurity.
What does Dropper mean?
Malware whose role is to install ("drop") another malicious payload onto a target system, often after evading initial detection.
How do you defend against Dropper?
Defences for Dropper typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Dropper?
Common alternative names include: Malware dropper, Installer dropper.