What is malware?
Malware is any software deliberately designed to damage, disrupt, or gain unauthorised access to a computer system or network. The word is a contraction of “malicious software,” and it covers everything from viruses and ransomware to spyware and trojans. If a program does something to your device or data that you did not consent to, it almost certainly qualifies.
Why malware matters for New Zealand users
New Zealand sits in a peculiar position when it comes to cyber threats. As a member of the Five Eyes intelligence alliance alongside the US, UK, Canada, and Australia, NZ is both a target for state-sponsored actors and a jurisdiction where government agencies have broad data-collection powers under the Telecommunications (Interception Capability and Security) Act 2013 and the Intelligence and Security Act 2017. The Privacy Act 2020 requires organisations to notify the Privacy Commissioner of serious privacy breaches, which means when a NZ business gets hit by ransomware or a data-stealing trojan, there are now real legal consequences — not just reputational ones.
CERT NZ (now operating under the NCSC umbrella) consistently reports that New Zealanders lose millions of dollars annually to cybercrime, with malware-enabled incidents accounting for a significant share. Phishing emails that deliver malware payloads are the most common initial access vector reported by NZ businesses. The shift to Chorus fibre — including Hyperfibre connections running at 2Gbps and 4Gbps — has made NZ households faster, but speed does not equal security. A fast connection simply means malware can exfiltrate your data or download additional payloads more quickly once it has a foothold.
NZ ISPs including Spark, One NZ, and 2degrees offer varying levels of network-level threat filtering, but none of these are a substitute for endpoint protection. ISP-level filters catch known bad domains; they do not inspect encrypted traffic or stop a malicious attachment you open in your email client.
The main types of malware
Understanding the categories helps you recognise threats and choose the right defences. These are not mutually exclusive — modern malware often combines several techniques.
- Viruses: Self-replicating code that attaches to legitimate files. Requires a user action (opening a file, running a program) to activate and spread.
- Worms: Like viruses but self-propagating across networks without user interaction. Particularly dangerous on corporate networks.
- Trojans: Disguised as legitimate software. You install what looks like a free game or a cracked application; in the background it opens a backdoor or steals credentials.
- Ransomware: Encrypts your files and demands payment — usually in cryptocurrency — for the decryption key. NZ schools, healthcare providers, and small businesses have all been hit. Paying the ransom does not guarantee recovery.
- Spyware: Silently monitors your activity, capturing keystrokes, screenshots, and browsing history. Often bundled with free software.
- Adware: Injects unwanted advertisements, redirects your browser, and frequently acts as a delivery mechanism for more serious payloads.
- Rootkits: Embed themselves deep in the operating system, sometimes at the firmware level, making them extremely difficult to detect and remove.
- Botnets / RATs: Remote Access Trojans turn your device into a node in a botnet, used for sending spam, conducting DDoS attacks, or mining cryptocurrency at your expense.
- Fileless malware: Operates entirely in memory, leaving no file on disk. Traditional signature-based antivirus struggles to catch it.
How malware gets onto your device: a step-by-step look
Malware does not appear by magic. There is almost always a chain of events, and understanding that chain is where your defence starts.
- Initial contact: You receive a phishing email purportedly from IRD, NZ Post, or your bank. Alternatively, you visit a compromised website, click a malicious ad, or download software from an unofficial source. In corporate environments, attackers also exploit unpatched vulnerabilities in internet-facing services.
- Delivery: The malicious payload arrives as an email attachment (a macro-enabled Word document is a classic), a drive-by download triggered by your browser, or bundled inside a legitimate-looking installer.
- Execution: Something triggers the code. This might be you opening the attachment, a macro running automatically, or an exploit taking advantage of an unpatched vulnerability in your PDF reader or browser.
- Persistence: The malware writes itself to startup locations — the Windows registry, a LaunchAgent on macOS, a cron job on Linux — so it survives a reboot.
- Command and control (C2): The malware phones home to an attacker-controlled server, often over HTTPS to blend in with normal traffic. This is where instructions are received and stolen data is sent.
- Action on objectives: Depending on the malware type, this is where files get encrypted, credentials get harvested, or your device joins a botnet.
The gap between steps one and six can be seconds for automated attacks, or weeks for targeted intrusions where attackers move slowly to avoid detection. Either way, the earlier you interrupt the chain, the better.
Common mistakes NZ users make
Relying solely on Windows Defender or macOS Gatekeeper. These are good baseline tools, but they are not comprehensive. Defender has improved dramatically and should absolutely be enabled, but pairing it with a dedicated anti-malware layer catches threats that slip through signature databases.
Ignoring software updates. The majority of successful malware infections exploit known vulnerabilities for which patches already exist. On a Chorus fibre connection, updating Windows, macOS, or your router firmware takes minutes. There is no good excuse for running unpatched software.
Using the same password everywhere. Credential-stealing malware harvests one password and attackers use it across every service you have. A password manager and unique credentials per site limit the blast radius.
Assuming a VPN protects against malware. A VPN encrypts your traffic and masks your IP address — it does not scan files, block malicious downloads, or remove infections. Some VPN providers include DNS-based malware blocking (Surfshark’s CleanWeb, NordVPN’s Threat Protection, Mullvad’s DNS content blocking), but these are supplementary, not primary defences. For a broader look at what a VPN actually does for your security posture, see our best VPN guide.
Downloading software from unofficial sources. Cracked software and unofficial app repositories are the single most reliable delivery mechanism for trojans in the consumer space. This applies to mobile devices too — sideloaded Android APKs are a significant vector.
Not backing up data. Ransomware is devastating precisely because victims have no leverage if they have no backups. The 3-2-1 rule (three copies, two different media types, one offsite) is the standard recommendation. Cloud backup services with versioning mean ransomware cannot simply encrypt your backup too.
How to check if your device is infected
Some infections are obvious — ransomware will tell you. Others are designed to be invisible. Watch for these indicators:
- Unexplained slowdowns or high CPU/memory usage when the device should be idle
- Unfamiliar processes in Task Manager or Activity Monitor
- Browser homepage or search engine changed without your input
- Antivirus disabled or unable to update
- Unusual outbound network traffic, especially to foreign IP ranges (check your router’s traffic logs)
- Accounts locked out or password-reset emails you did not request
- Files with unfamiliar extensions or a ransom note on the desktop
If you suspect an infection, disconnect from the network immediately to prevent further data exfiltration or lateral movement. Do not turn the device off if you want forensic evidence preserved — but for most home users, a reboot into safe mode followed by a full scan is the practical first step.
Recommended tools and NZD pricing
The table below covers the main anti-malware tools available to NZ consumers and small businesses, with approximate NZD pricing as of mid-2025. Exchange rates fluctuate, so treat these as indicative. Most vendors price in USD and convert at checkout.
| Tool | Type | Platforms | Approx. NZD/year (1 device) | Standout feature |
|---|---|---|---|---|
| Malwarebytes Premium | Anti-malware | Win, Mac, Android, iOS | ~NZ$65 | Strong on PUPs and adware; good complement to Defender |
| Bitdefender Total Security | Full suite | Win, Mac, Android, iOS | ~NZ$85 (5 devices) | Consistently top-rated detection; low system impact |
| ESET Internet Security | Full suite | Win, Mac, Linux, Android | ~NZ$75 | Linux support; good for mixed-OS households |
| Kaspersky Standard | Full suite | Win, Mac, Android, iOS | ~NZ$60 | High detection rates; note ongoing geopolitical concerns re: Russian origin |
| Windows Defender (built-in) | Baseline AV | Windows only | Free | Adequate baseline; no extra cost; enable and keep updated |
| Malwarebytes Free | On-demand scanner | Win, Mac, Android, iOS | Free | No real-time protection; useful for second-opinion scans |
For most NZ home users on a budget, the combination of Windows Defender (enabled and updated) plus Malwarebytes Free for periodic second-opinion scans is a reasonable no-cost baseline. If you want real-time protection beyond Defender, Bitdefender Total Security at roughly NZ$85 for five devices is strong value for a household. Small businesses should look at endpoint detection and response (EDR) solutions rather than consumer antivirus — the threat model is different.
If you are considering a free VPN as part of your security stack, be cautious: many free VPN services have been caught logging and selling user data, which is the opposite of what you want. Our free VPN guide covers which options are genuinely trustworthy and which to avoid.
Key takeaway: No single tool catches everything. Layered defences — a reputable antivirus, a password manager, automatic updates, and regular backups — are more effective than any one product.
Protecting NZ streaming accounts and personal data
Credential-stealing malware specifically targets saved browser passwords, which means your TVNZ+, Neon, Sky Sport Now, and ThreeNow accounts are at risk alongside your banking credentials. Streaming account credentials are sold in bulk on dark web marketplaces — attackers either use them directly or resell access. Enable two-factor authentication on every streaming and financial account that supports it. Most NZ streaming platforms now offer 2FA; use it.
Under the Privacy Act 2020, if a NZ organisation suffers a breach that causes serious harm — including through malware — they must notify both the Privacy Commissioner and affected individuals. As a consumer, this means you should receive notification if your data is compromised through a business you deal with. However, the Act does not protect you from malware on your own device; that responsibility sits with you.
Malware on mobile devices
Android is significantly more exposed than iOS due to its open ecosystem and the prevalence of sideloaded apps. Stick to the Google Play Store, keep Google Play Protect enabled, and be sceptical of apps requesting excessive permissions. iOS is not immune — malicious configuration profiles and, historically, zero-click exploits have been used against high-value targets — but the average NZ consumer faces far lower risk on iOS than Android.
On both platforms, be wary of SMS phishing (smishing) that directs you to download an app outside the official store. NZ Post and IRD are frequently impersonated in these campaigns.
FAQ
Can Macs get malware?
Yes. macOS has strong built-in protections — Gatekeeper, XProtect, and System Integrity Protection — but Mac malware exists and is increasing as Apple’s market share grows. Adware, browser hijackers, and info-stealers targeting macOS are well-documented. Do not assume you are safe because you use a Mac; keep the OS updated and consider a reputable third-party scanner.
Does a VPN protect me from malware?
Not directly. A VPN encrypts your internet traffic and can prevent some network-level snooping, but it does not scan files you download or block malicious code from executing on your device. Some VPNs include DNS-based blocking that can prevent connections to known malware command-and-control servers, which is a useful supplementary layer — but it is not a replacement for dedicated anti-malware software.
What should I do if I think I have ransomware?
Disconnect from the internet and your local network immediately to stop the ransomware spreading to other devices or network shares. Do not pay the ransom without exhausting other options first — payment does not guarantee decryption, and it funds further attacks. Check the No More Ransom project (nomoreransom.org) to see if a free decryptor exists for your ransomware variant. Then restore from a clean backup if you have one, or seek professional assistance. Report the incident to CERT NZ (cert.govt.nz).
Is free antivirus good enough for a NZ home user?
For a careful user who keeps their OS updated, avoids unofficial software sources, and uses a password manager, Windows Defender plus periodic Malwarebytes Free scans is a reasonable baseline. However, free tools generally lack real-time web protection, email scanning, and behavioural detection. If you do online banking, manage business data, or have family members who are less security-conscious, a paid suite adds meaningful protection for a modest cost.
How does malware relate to the Five Eyes and NZ surveillance laws?
State-sponsored malware — used by intelligence agencies including those within Five Eyes — is a real category of threat, primarily targeting journalists, activists, and high-value government or corporate targets. For the average NZ resident, state-sponsored malware is not a realistic threat. The more relevant connection is that Five Eyes membership means NZ’s GCSB and NCSC share threat intelligence with partner agencies, which informs the advisories and alerts that CERT NZ publishes. Following those advisories is genuinely useful.
Can my router be infected with malware?
Yes. Router malware is less common but particularly dangerous because it sits upstream of all your devices and can intercept traffic before any endpoint protection sees it. Routers provided by Spark, One NZ, and 2degrees are generally updated automatically, but third-party routers — especially older models — may not be. Log into your router’s admin panel, check for firmware updates, change the default admin password, and disable remote management if you do not need it.
What NZ government resources exist for malware incidents?
CERT NZ (now part of the National Cyber Security Centre at ncsc.govt.nz) is the primary resource. They publish threat advisories, accept incident reports, and provide free guidance for individuals and small businesses. The Privacy Commissioner’s office (privacy.org.nz) is relevant if personal data has been compromised. For businesses, the NCSC’s Malware Free Networks programme provides threat intelligence feeds to participating ISPs and organisations.
Bottom line
Malware is not an abstract threat — it is the mechanism behind most of the financial losses, data breaches, and service disruptions that affect New Zealand individuals and businesses every year. The good news is that the defences are well understood and, for most people, not expensive. Keep your operating system and software updated, use a reputable anti-malware tool alongside Windows Defender, back up your data with versioning, use unique passwords via a password manager, and enable two-factor authentication on every account that matters. A VPN adds a useful layer for privacy and can block some malicious DNS lookups, but it is not a malware solution on its own. The threat landscape will keep evolving — fileless attacks, AI-generated phishing, and supply chain compromises are all growing vectors — but the fundamentals of good hygiene remain the same, and they work.
