vx-underground@vxunderground
This is a tricky question and, in a bit of irony, there is a kind of like ... an unspoken ... or poorly documented philosophy of malware development. You kind of learn tricks of the trade as you write malware and witness malware campaigns operating in the wild.
tl;dr idk it depends on wtf ur doing bro
non-tl;dr
To be direct, malware that works is not necessarily good malware. You can write a simple Windows batch script that deletes every file in an important directory and (technically) this would be "wiper" malware. This does not make it good, or sophisticated.
Additionally, what defines "good" has changed over time. There tends to be trends with malware development. Malware tricks that used to work in the 90's are old news. Malware tricks from 2025 are old news (sort of). However, some malware tricks from the 90's are still applicable and can still be evasive.
It's weird.
You'll also see old tricks the 90's suddenly reappear and catch everyone off guard because... people simply forgot it even existed... The trick is usually only identified from industry veterans (or as the kids say, "unc" or "old heads") who are also surprised the trick has re-emerged. What's old is new. What's old is also old. What's new will eventually be old.
Anyway, "good malware" also depends on the objective. State-sponsored malware (malware written by governments, or written for government or military usage) has extremely strict rules of engagement (usually, not always, but usually). State-sponsored is usually extremely narrow in scope and designed for a very small and limited audience. State-sponsored may not necessarily be super advanced and cutting edge, but because it is so narrow in scope it is difficult to identify.
Conversely, financially motivated Threat Actors (malware developed for ... crime ...) is usually designed to be ass blasted in your face and sprayed across the internet.
Financially motivated Threat Actors will typically (if it's "good malware") design malware to be modular. In other words, because it is being blasted all over the internet it will be detected quickly, hence their malware needs to be broken down into almost like ... plugins ... and they need to have it so their malware can quickly replace one segment of code with another (and quickly).
If you've ever seen racing like NASCAR or F1, you'll notice vehicles can be torn apart in basically seconds and re-assembled, parts effortlessly replaced so it can quickly get back in the race. Likewise, modular malware needs to be able to change quickly to avoid it's inevitable detection. If you're curious, look up TrickBot, Emotet, or QakBot. They kind of defined what it means to be modular. They also kind of gave birth to what's known as "MaaS" (Malware-as-a-Service).
State-sponsored Threat Actors malware is trickier because it needs to be designed for a target. For example, when the United States (allegedly) targeted the Chinese government (allegedly) as APT NightEagle (allegedly) the malware was developed to work almost exclusively for specific Chinese infrastructure and (allegedly) contained exploits which would work in ideal scenarios which (allegedly) were that of Chinese critical infrastructure.
This can also be seen with what the Russian government alleges the United States and Israel (allegedly) did with Operation Triangulation whereas the malware (allegedly) only worked for specific sets of hardware (allegedly). Furthermore, this can also (allegedly) be seen with the United States (allegedly) purchasing cell phone malware from Israeli companies (allegedly) which were developed and sold to ICE (allegedly) to spy on people critical of ICE (allegedly).
These companies are called NSO Group and Intellexa Alliance.
Of course, the United States and Israel government vehemently deny the allegations from the Chinese and Russian government.
Okay, I have to stop writing and schizo ranting for the time being. I have to go back to watching a baby and stuff.
