Web Attack Terminology Glossary
Understanding the terminology used to describe cyberattacks is essential for anyone responsible for securing web applications, networks, or infrastructure. This glossary defines the most common attack-related terms used by security professionals, incident responders, and threat intelligence analysts. For vulnerability-specific terminology, see our companion glossary of common web vulnerability terms.
Attack Infrastructure Terms
Botnet
A botnet is a network of compromised computers, servers, or IoT devices (called "bots" or "zombies") that are controlled remotely by an attacker. Botnets are the primary tool behind DDoS attacks, credential stuffing campaigns, spam distribution, and cryptocurrency mining. Major botnets have comprised millions of devices. The botnet operator issues commands through a Command and Control (C2) server, and the compromised devices execute those commands simultaneously. Notable botnets include Mirai (which exploited IoT devices), Emotet (malware distribution), and Necurs (spam distribution).
Command and Control (C2 / C&C)
Command and Control refers to the infrastructure an attacker uses to communicate with and manage compromised systems. A C2 server sends instructions to bots (such as "attack this target" or "download this payload") and receives stolen data in return. Modern C2 infrastructure uses techniques like domain generation algorithms (DGAs), encrypted channels, social media dead drops, and peer-to-peer communication to evade detection and takedown.
Payload
In the context of cyberattacks, a payload is the component of malware or an exploit that performs the actual malicious action. The exploit is the mechanism that gains access or triggers a vulnerability; the payload is what happens next. Examples include installing a backdoor, encrypting files (ransomware), exfiltrating data, or establishing a reverse shell for remote access. A single exploit may deliver different payloads depending on the attacker's objectives.
Dropper
A dropper is a type of malware designed to install (or "drop") another piece of malware onto the target system. Droppers often appear as innocent-looking files — a PDF, a Word document with macros, or a legitimate-seeming installer. Once executed, the dropper downloads and installs the actual payload (ransomware, a RAT, a keylogger) from a remote server. Droppers are a common first stage in multi-stage attacks.
Exploit Kit
An exploit kit is a pre-packaged software toolkit sold or rented on underground markets that automates the exploitation of known vulnerabilities. Exploit kits are typically hosted on compromised or malicious websites. When a victim visits the page, the kit scans their browser and plugins for known vulnerabilities and automatically delivers an appropriate exploit and payload. Prominent historical exploit kits include Angler, RIG, and Magnitude. Exploit kits have declined with the rise of browser auto-updates but remain active, particularly targeting outdated software.
Attack Type Terms
Advanced Persistent Threat (APT)
An APT is a prolonged, targeted cyberattack in which an attacker gains access to a network and remains undetected for an extended period — weeks, months, or even years. APTs are typically conducted by nation-state actors or well-funded criminal organizations with specific intelligence-gathering or sabotage objectives. APT groups are often tracked by security researchers using naming conventions (e.g., APT28, Lazarus Group, Cozy Bear). APTs differ from opportunistic attacks in their persistence, sophistication, and targeted nature.
Ransomware
Ransomware is malware that encrypts the victim's files or locks them out of their system, then demands payment (usually in cryptocurrency) for the decryption key. Modern ransomware operations use "double extortion" — encrypting files and threatening to publicly release stolen data if the ransom is not paid. Ransomware is typically delivered through phishing emails, exploited vulnerabilities, or compromised Remote Desktop Protocol (RDP) access. Notable ransomware families include WannaCry, REvil, LockBit, and BlackCat.
Phishing
Phishing is a social engineering attack that tricks victims into revealing sensitive information (credentials, credit card numbers, personal data) by impersonating a trusted entity. Phishing attacks arrive via email, SMS (smishing), voice calls (vishing), or fake websites. Spear phishing targets specific individuals with personalized messages, while whaling targets senior executives. For a deeper look, see our guide on phishing attacks.
Man-in-the-Middle (MitM)
A Man-in-the-Middle attack occurs when an attacker secretly intercepts and potentially alters communication between two parties who believe they are communicating directly with each other. MitM attacks can occur at the network level (ARP spoofing, rogue Wi-Fi access points), at the DNS level (DNS hijacking), or at the application level (SSL stripping). HTTPS, certificate pinning, and HSTS are primary defenses against MitM attacks.
Denial of Service (DoS / DDoS)
A Denial of Service attack makes a service unavailable to its intended users by overwhelming it with traffic or exploiting a vulnerability that causes a crash. A Distributed Denial of Service (DDoS) attack uses multiple sources (typically a botnet) to amplify the attack. DDoS attacks are categorized into volumetric, protocol, and application-layer attacks. See our comprehensive DDoS attacks guide for details.
Credential Stuffing
Credential stuffing is an automated attack that uses stolen username-password pairs from data breaches to attempt login on other websites, exploiting password reuse. Unlike brute force attacks that guess passwords, credential stuffing uses known-valid credentials. The attack requires no sophistication — just access to breach databases and automation tools.
Supply Chain Attack
A supply chain attack compromises a target by attacking a less-secure element in the supply chain — a software vendor, open-source library, build system, or hardware component that the target depends on. The SolarWinds attack (2020) and the Codecov breach (2021) are prominent examples. Supply chain attacks are particularly dangerous because they exploit trust relationships and can affect thousands of downstream organizations simultaneously.
Malware and Tooling Terms
Remote Access Trojan (RAT)
A RAT is malware that provides the attacker with remote administrative control over the victim's system. RATs can capture keystrokes, take screenshots, access the webcam, browse files, and execute commands. They are typically installed via phishing, exploit kits, or trojanized software. Unlike legitimate remote access tools, RATs operate covertly and include features to evade detection.
Rootkit
A rootkit is malware designed to gain and maintain privileged access to a system while actively hiding its presence from administrators and security tools. Rootkits can operate at the user level, kernel level, or even firmware level. Kernel-level rootkits are particularly dangerous because they can intercept and modify operating system functions, making them nearly invisible to standard detection methods.
Keylogger
A keylogger is software or hardware that records every keystroke made on a system. Software keyloggers run as background processes and transmit captured keystrokes (including passwords, credit card numbers, and messages) to the attacker. Hardware keyloggers are physical devices inserted between a keyboard and computer. Keyloggers are commonly deployed as part of RAT packages or as standalone spyware.
Cryptojacker
A cryptojacker is malware that hijacks the victim's computing resources (CPU, GPU) to mine cryptocurrency — typically Monero — without the victim's knowledge or consent. Cryptojacking can occur through installed malware or browser-based scripts embedded in compromised websites. The primary symptom is degraded system performance and increased electricity costs.
Zero-Day Exploit
A zero-day exploit targets a vulnerability that is unknown to the software vendor and for which no patch exists. The term "zero-day" refers to the fact that the vendor has had zero days to develop a fix. Zero-day exploits are extremely valuable — they are traded on black markets for hundreds of thousands to millions of dollars and are frequently used by APT groups and intelligence agencies. Defense against zero-days relies on behavioral detection, sandboxing, and defense-in-depth strategies rather than signature-based tools.
Watering Hole Attack
A watering hole attack compromises a website frequently visited by the intended targets. Instead of attacking the targets directly, the attacker infects a site they are known to visit, then waits for them to browse to it and be infected. This technique is commonly used by APT groups targeting specific industries or organizations. The compromised website typically serves an exploit kit or malicious download that installs a backdoor on the visitor's system.
Protect Your Infrastructure
Understanding attack terminology is the foundation of an effective security strategy. Many of these threats — DDoS attacks, credential stuffing, application-layer exploits, and web-based malware delivery — can be mitigated at the network edge with a properly configured web application firewall and CDN. Explore NOC.org's pricing plans to protect your applications against the full spectrum of web-based attacks.
Get
Started