Reconnaissance is to finding out about a target’s IP address, website domain, and business domain. Once the attacker finds the IP address or URL then he does a port scan to identify live systems. Attacker user compromised systems on the internet which are called botnets.
Malware is weaponized when it's custom-built to a specific target. It may be intended to exploit a weakness in a particular version of an operating system or target an online banking website. Hacker purchase malware from internet websites like malware –as service. In delivering stage malware is transferred to target system through infected document, pdf image or other electronic item and then send through a phishing email. It also can be delivered through a susceptible website, in such a way that when internet user visits the website and the malware infects his machine. Gaining access to a compromised user ID and password or to use default user ID's and passwords of application is another way to deliver the malware to the target system. Software flaws also are used for malware delivery
In the case of email, web, or USB-based attack, the infected element will exploit a vulnerability in the target software, when the document is open. As soon as the vulnerability is exploited, the infected documents or the hacker then beads the payload into the target system. This could be into memory or onto disk and may also involve installing some form of instrument to make sure the payload continues to execute even if the system is rebooted.
This is done on Windows by adding a registry entry to automatically run the payload when the system starts up. An attack may be intentional to carry out actions over a long period of time using remote command and control of the implanted payload, such as when the payload is designed to provide a long-term source of intelligence. Type of action will depend on the attacker motive like impairing a website, stealing a sensitive data or bank details.