'Trojan Horse' blends malware and geopolitics in a taut thriller

Microsoft Technical Fellow Mark Russinovich has published his second novel, a page-turner that's solidly grounded in technical facts. In a world where Stuxnet is just the beginning of a global campaign of cyberwarfare, who can you trust?
Written by Ed Bott, Senior Contributing Editor on

Mark Russinovich is a great storyteller.

If you’ve heard him speak at a technical conference, you know that this Microsoft technical fellow is whip-smart. His presentation on how to root out malware is like an episode of CSI:Sysinternals—fascinating and compelling even if you’re not a security geek.

So it shouldn’t be surprising that Russinovich’s new novel, Trojan Horse, is an absolute page-turner that’s solidly grounded in modern computer technology.

This is the second novel from Russinovich, who published Zero Day two years ago. His characters from that novel make a return appearance here. Jeff Aiken is a brilliant computer security expert, a PhD and amateur rugby player who comes in to clean up security messes in big corporations and secret government agencies worldwide; he’s assisted by his girlfriend and partner in digital crime solving, Daryl Haugen. She’s also a PhD, a former NSA spook, and an expert at cracking into computer code.

The story starts off in sparsely populated Central Washington, where foreign attackers have succeeded in taking down the power grid for 14 minutes with a piece of custom-built malware. That kicks off a series of small tragedies, including a delicate bit of brain surgery that goes wrong when the computer running the operating room keeps rebooting.

From there the story begins rolling and picks up speed as it caroms around the world, to London and Geneva and Prague and Ankara. Bureaucrats from the U.N. keep getting in the way of British and American intelligence agencies. The Iranians are behind everything, or maybe it’s the Chinese. Or maybe it’s someone else completely.

There are kidnappings and shootings and one hilarious and hair-raising chase scene involving three cars and an ultralight plane through a desolate stretch of Turkey that ends in … well, I won’t spoil it.

The plot holds together admirably, with Stuxnet playing a key role in the breakneck sequence of events. There’s a certain predictability to the plot, as with any thriller, but there are also some artful misdirections and one twist that I guarantee you won’t see coming.

Normally I cringe at the silly technical errors in novels that try to describe computer technology. But Russinovich’s mastery of code (malicious and otherwise) keeps things from running off the rails. Interestingly, an Android Trojan leads to the downfall of one of the bad guys, but the most dangerous vector, the carrier of the Trojan Horse that gives the novel its name, is a mythical program called OfficeWorks—a thinly disguised pseudonym for Microsoft Word.

I read the first half of this novel on a flight to Eastern Europe, and when I got off the plane in Berlin I found myself eyeing my fellow passengers suspiciously. Was one of them secretly a double agent? A triple agent, even? It took hours to shake the paranoia.

Russinovich’s writing has matured in this second effort, and his characters have genuine staying power. His work reminds me of Dick Francis, who wrote some superb thrillers about the world of horse racing from which he had retired. Both authors write about what they know, and they bring small details to the story that help it ring true.

It’s a shame that summer’s almost over, because this is ideal beach reading—a thriller that tackles a couple of big issues and will get you thinking (and worrying) about the fragility of the world’s power grid and information infrastructure. But it’s also perfect for a long plane ride or a rainy weekend.

Highly recommended.

Editorial standards


How much RAM does your Windows 11 PC need?

How much RAM does your Windows 11 PC need?

What is ChatGPT and why does it matter? Here's what you need to know
chat bot

What is ChatGPT and why does it matter? Here's what you need to know

Low-code is not a cure for overworked IT departments just yet

Low-code is not a cure for overworked IT departments just yet