Quantum malware represents an emerging threat requiring systematic investigation to inform defensive infrastructure development. This paper first maps malicious software ontologies and taxonomies onto the European Competence Framework for Quantum Technologies (CFQT), establishing a cross-domain threat mapping model. It proposes a quantum-system-oriented malicious behavior analysis framework that elucidates pathways and evolutionary mechanisms underlying the migration of classical malicious behaviors to quantum software and hardware. Furthermore, it identifies critical attack vectors and vulnerable architectural layers, thereby constructing a foundational threat analysis framework for quantum malware. The results provide theoretical underpinnings and a systematic evaluation paradigm for quantum-resilient defense architectures. This work offers forward-looking guidance for safeguarding critical infrastructure—including defense systems, secure communications, and energy grids—against quantum-enabled cyber threats.

The threat of quantum malware is real and a growing security concern that will have catastrophic scientific and technological impacts, if not addressed early. If weaponised or exploited especially by the wrong hands, malware will undermine highly sophisticated critical systems supported by next-generation quantum architectures, for example, in defence, communications, energy, and space. This paper explores the fundamental nature and implications of quantum malware to enable the future development of appropriate mitigations and defences, thereby protecting critical infrastructure. By conducting a systematic literature review (SLR) that draws on knowledge frameworks such as ontologies and taxonomies to explore malware, this provides insights into how malicious behaviours can be translated into attacks on quantum technologies, thereby providing a lens to analyse the severity of malware against quantum technologies. This study employs the European Competency Framework for Quantum Technologies (CFQT) as a guide to map malware behaviour to several competency layers, creating a foundation in this emerging field.