Threat Detection Library


Troj/* detection name indicates that Sophos has detected a malicious executable file. 

The detection name prefix is an abbrevation of Trojan which comes from “trojan horse”, a name commonly used to describe the most prevalent class of malware. The name "trojan horse" itself comes from Greek mythology where the Greeks used a hollow wooden horse to hide their troops to gain entry to capture and destroy the city of Troy.  

The Sophos detections also include a “family” name portion following the Troj/ prefix. For example Troj/Zbot indicates the Zbot family of trojan horses. The detection name may further describe the specific strain of the malware observed, but there is no website description available at this time.

Once installed, Trojans try to stay hidden by masquerading as legitimate files and may perform a range of malicious actions. The most commonly seen activities include: 

  • data exfiltration
  • credentials theft
  • cryptocurrency mining 
  • encrypting files for ransom 

Trojans can also act as generic botnets providing access to different cybercrime groups for the purpose of orchestrating other attack scenarios.

The malware described as Troj/ often connects to its command-and-control (C2) server. It’s recommended to inspect the compromised system's network communication history.

You can find information about malware attacks on the Sophos X-Ops blog here.

If you believe this detection is incorrect, please report this file to Sophos Support

Send our lab samples for analysis.

Submit a Sample