In which phase of the cyber kill chain would an attacker typically use malware?

The phase of the cyber kill chain where an attacker typically uses malware is during the Installation phase. In this stage, after the attacker has successfully exploited a vulnerability and gained access to the target system, they focus on establishing a foothold. This is typically done using malware, which is installed on the compromised system to maintain access and control over it. The malware allows the attacker to facilitate further actions, such as data exfiltration or reconnaissance, without needing to repeatedly exploit the original vulnerability.

Looking at the context of the other phases, during the Delivery phase, the malware is being sent to the target, often through methods like phishing emails or malicious attachments. In the Exploitation phase, the attacker takes advantage of a vulnerability to execute code, but the actual installation of the malware happens afterward. In the Actions on Objectives phase, the attacker uses the established access to achieve their goals, such as stealing information or executing commands, but by that point, the malware would have already been installed. Thus, Installation is correctly identified as the phase most associated with the use of malware.