Trojan Horse is one of the most common and most serious attacking approaches by hackers in information security. It is important to analyze and predict this type of attack events and then take appropriate counter-measures accordingly. However, it is difficult to have a deep analysis of the attacks only based on Trojan Horse event information itself. In this paper, we propose a new analysis method by comparing the life cycle of Trojan Horse events in China with the life cycle of queries about their exploited vulnerability in search engines. We find that the peak of query cycle is ahead of the peak of attack events. The result suggests that in China, the Trojan Horse attacks are conducted mainly by amateur hackers, rather than professional hackers. The result is also helpful for prediction of Trojan Horse attacks and then applying counter-measures.