Edit This Page



Managing a device infected with malicious software.

Learn how to

An infected device...

Isaac notices the LED in webcam turns on even when he is not using it. He worries that he has malware.
He fears that someone is remotely controlling his computer and watching him. If Isaac doesn't remove the malware from his device, he is worried the identity of his sources will be revealed.

What is malware?

Exploiting your device

Malware exploits access to your device to send out spam, seize banking, email or social media credentials, shut down websites and collect vital information from journalists, human rights defenders, NGOs, activists and bloggers.

What malware does

Malware works by installing itself on your device when you open a link to a malicious website or open an infected file you have downloaded. After it is installed on your device, it can record keystrokes, steal passwords, take screenshots, record audio, video and more.

Dangerous software

Malware is dangerous software that allows an unauthorized takeover of your device by another user. It can be used by the government or a third party to surveil you.

Malware for surveillance

While most malware is designed for and utilized by criminals, people working directly or indirectly for governments have increasingly adopted malware as a tool for surveillance, espionage and sabotage.

Prepare for malware

With malware, the important thing you can do is prepare. Refer to the Planning and Preparing unit to learn more about computer hygiene and developing emergency plans.

Malware can threaten your sensitive information

Determining whether you might have malware

1. Malicious attachment or link

You opened an attachment or link that you think may have been malicious. Links or attachments are often the cause of malware infections.

2. Webcam LED turns on when you are not using it

Your webcam LED turns on when you are not using the webcam. This may indicate your device is being accessed remotely.

3. Accounts have been compromised multiple times.

Your accounts have been compromised multiple times, even after you have changed the password. This may indicate someone has control of your device.

4. Device seized and returned

Your device was seized and then returned. It is possible that your device may have been infected with malware when it was taken from you.

5. Device tampered

Someone broke into your home and may have tampered with your device. This may indicate that your device was infected with malware during the break in.

6. Personal data made public

Some of your personal data has been made public and it could only come from your personal computer. This may indicate that someone has access to your computer.

7. Targeting by state

Your group is being targeted by a government, law enforcement, or an actor with equivalent capabilities.

Malicious attachments or links are often the cause of malware

Letting the attack play out

Understanding the attack

Finding out what has happened to you and who has targeted you may be more important than 'cleaning' your computer. It can be very valuable to gain an understanding of your adversary through letting the attack play out.

Collect information

If understanding the attacker and the attack is important to you, you must collect and analyse information when a potential malware infection happens. Do this before ‘cleaning’ your computer.

A risky investment

Keep in mind that counter-surveillance is a big investment, is not easy, and might be perceived by an adversary as an escalation. Weigh the risks and benefits carefully and develop a strategy to decide on next steps by reading the Risk Analysis lesson.

Use a safe computer

Always move all activities to a safe computer if you feel you are under surveillance and read the Seeking Help lesson to learn how.

Communicate safely

Do not reveal that you feel you are being surveilled using electronic commmunications or physical behaviour and read the Secure Communications lesson to learn how to do so.

Two types of counter-surveillance

There are two types of counter-surveillance, covert and overt counter-surveillance. In both cases, the primary aim is to identify whether you are being surveilled, not to lose your adversary.

Covert counter-surveillance

Covert counter-surveillance means trying to identify your potential adversary without letting them know that you are looking for them. The primary

Overt counter-surveillance

Overt counter-surveillance means trying to stop or identity your potential adversary through making them aware of what you are trying to do. This is extremely risky and should not be taken lightly.

Be careful around an infected device!

Stop using your device

Anti-virus software

There is no quick fix to clean up malware from you computer. Anti-virus software may be good at protecting your device from common viruses, but it is mostly ineffective against sophisticated attackers.

Refer to emergency plans

If you believe you are being targeted, disconnect your device from the internet, turn it off, unplug it, remove the battery from your device and seek the help of a trusted security professional. Refer to your Emergency Plans.

Stop using a device infected with malware


What is gitbook used for?

To read books To book hotel named git To write and publish beautiful books GitBook.com lets you write, publish and manage your books online as a service.

Is it quiz?

Yes No


  • en/topics/practice-1-emergencies/0-getting-started: Find out about other types of emergencies
  • en/topics/understand-2-security/0-getting-started: Dig deeper on various aspects of security
  • en/topics/understand-3-opsec/0-getting-started: Find out about what operational security or opsec means
  • en/topics/understand-4-digisec/0-getting-started: Learn more about important concepts of digital security

See also: