Seven Types of Malware That Are Catching Businesses Off Guard Right Now

Your receptionist opens an email that looks like it came from a courier company. She clicks the tracking link. Nothing seems to happen. Two weeks later, you find out your patient records have been quietly copied and sent somewhere overseas. No ransom note. No warning. Just gone.

This is what modern malware actually looks like. It does not announce itself. The old image of a virus crashing your computer or locking your files with a skull and crossbones is outdated. The threats hitting small businesses in New Zealand right now are quieter, smarter, and designed specifically to avoid detection. Understanding what they are - without needing a computer science degree - helps you ask the right questions of whoever manages your IT.

Fileless malware is one of the more unsettling examples. It does not install any software. Instead, it runs entirely inside your computer's normal operating processes, the same ones your system uses every day. There is nothing new on the hard drive for a security scan to find. It arrives, does its work, and leaves almost no trace. Businesses find out about it only after the damage is done.

Polymorphic malware is similarly difficult. It changes its own appearance every time it spreads, so security tools that rely on recognising known threats cannot catch it. It is the digital equivalent of a fraudster who changes their disguise at every door. Related to this is what security researchers call a loader - malware whose only job is to get onto your system undetected, then quietly download the actual attack tools later, once it has confirmed it is inside a real business rather than a security researcher's test environment.

Infostealers are increasingly common and particularly relevant for healthcare and legal practices. Their sole purpose is to harvest saved passwords, session tokens - the small files that keep you logged into systems without needing to re-enter your password - and any sensitive data they can find. Once an attacker has those, they can log into your practice management software, your email, or your client portal as if they were you. Under the NZ Privacy Act 2020, a breach like this carries real reporting obligations and potential liability. You can read more about what that means in practice at the Office of the Privacy Commissioner.

Two other variants worth knowing about: spyware that specifically targets mobile devices - phones and tablets your staff use to access work systems - and AI-assisted malware that can adapt its behaviour in real time to avoid triggering security alerts. Both are moving from large-enterprise targets to smaller businesses as attackers scale their tools. Understanding what mobile app security means for your business is increasingly important as staff rely on phones to access practice systems.

Finally, supply chain malware deserves attention. This is malware hidden inside legitimate software updates from vendors you trust. You click "install update" on a tool your practice has used for years, and the update itself carries the threat. This is exactly how some of the most damaging attacks of recent years have started, and it is a reason why layered cybersecurity protection matters more than any single tool.

What good protection looks like is not a single piece of software. It is a combination of monitored endpoint security across all devices, careful control over who can install software and what it can access, regular patching to close known vulnerabilities, and email filtering that catches malicious links before staff ever see them. When these layers are managed together and actively monitored, the window for any of these threats to operate quietly inside your systems shrinks considerably. The steps that reduce your risk of a data breach overlap directly with defending against the malware types described here.

Most small practices do not have the time or internal expertise to manage this themselves, and they should not have to. A good managed IT support arrangement includes these protections as a baseline, not an add-on. If you are not sure what is currently protecting your systems - or whether anyone is actively watching - that is worth finding out sooner rather than later.

ITstuffed works with professional services practices across Canterbury. A 15-minute IT Fit Check at /booking will give you a clear picture of where you stand.