Real-World Malware Case Studies & Code Evasion

Three cases that changed the industry

Reading about malware types in a table builds vocabulary. Reading about real incidents builds judgement. The three cases below illustrate three different classes of failure, and each changed how the industry thinks about defence.

Stuxnet (2010) — when malware crosses into the physical world

Stuxnet was not ordinary malware. It was a precision weapon. Discovered in June 2010 by VirusBlokAda (a Belarusian AV firm), it exploited four separate zero-day Windows vulnerabilities in a single campaign — an investment so expensive that it pointed immediately to state sponsorship.

The worm spread via USB drives and network shares, but its payload was surgically targeted: it attacked Siemens Step 7 software running on specific Siemens S7-315 and S7-417 programmable logic controllers (PLCs) connected to variable-frequency drives operating between 807 Hz and 1210 Hz. Those parameters matched the gas centrifuge cascades at Iran's Natanz uranium enrichment facility.

Once inside the right PLC, Stuxnet subtly altered centrifuge rotation speeds, causing mechanical stress and physical damage over weeks. Meanwhile, it replayed pre-recorded "normal" sensor readings to the monitoring system, so operators saw nothing wrong. An estimated 1,000 centrifuges were damaged over several months before the attack was discovered.

What this case teaches: Air-gapped networks are not immune. If malware can reach a USB port, it can reach the control system behind it. Stuxnet is also impossible to classify under a single malware type — it combined worm propagation, rootkit concealment, signed drivers, and industrial sabotage code. Real-world threats do not respect taxonomy boundaries.

Colonial Pipeline / DarkSide (2021) — a $4.4 million password

In May 2021, the DarkSide ransomware group (operating a Ransomware-as-a-Service model) compromised Colonial Pipeline, the largest refined fuel pipeline in the United States: 5,500 miles, supplying 45% of the US East Coast's fuel.

The entry point was a single VPN account. It belonged to a former employee, was no longer in active use, but had never been disabled. It had no multi-factor authentication. The password had appeared in a separate data breach, suggesting credential stuffing or a dark web purchase.

Once inside, the attackers moved laterally from the IT network toward OT-adjacent systems, exfiltrated roughly 100 GB of data as double-extortion leverage, and deployed a Salsa20 + RSA-1024 hybrid encryption scheme across critical servers. Colonial Pipeline paid $4.4 million in Bitcoin within hours. The US Department of Justice later recovered approximately $2.3 million by tracing the Bitcoin through the blockchain.

The pipeline shut down for six days. Seventeen US states declared fuel emergencies. Panic buying emptied petrol stations across the Southeast.

What this case teaches: The attack required no zero-day, no supply chain compromise, and no sophisticated exploit. It required one stale VPN account without MFA. The gap between trivial to prevent and catastrophic in impact is rarely illustrated so starkly.

REvil / Kaseya (2021) — poisoning the update pipeline

In July 2021, an affiliate of the REvil (Sodinokibi) RaaS group exploited a zero-day authentication bypass (CVE-2021-30116) in Kaseya VSA, a remote monitoring and management (RMM) tool used by Managed Service Providers (MSPs).

The exploit allowed the attacker to push a malicious "software update" through the VSA agent. Because MSPs trusted VSA implicitly — it was their own management tool — the update propagated to approximately 60 MSPs and cascaded to over 1,500 downstream businesses. The payload disguised itself as a legitimate Kaseya update and excluded itself from antivirus scanning by exploiting the agent's own built-in AV exclusion policy.

REvil demanded $70 million for a universal decryptor. Individual victims received demands ranging from $44,000 to $5 million. The FBI obtained the decryption key through undisclosed means and distributed it to victims roughly three weeks later.

What this case teaches: Supply chain attacks are disproportionately efficient. One vulnerability in one trusted tool compromised 1,500 organisations. Every RMM agent, every auto-update mechanism, and every trusted software pipeline is a potential single point of failure.

The pattern across all three

All three case studies share one pattern. In each case, the technical sophistication of the initial access was inversely proportional to the damage caused. Stuxnet used four zero-days and damaged one facility. Colonial Pipeline used one stolen password and disrupted fuel supply for 17 states. Kaseya used one authentication bypass and hit 1,500 organisations. The most expensive attacks are not necessarily the most clever ones.

Code-level evasion: the oligomorphic ladder

Beyond delivery and operational tradecraft, malware authors invest heavily in evading signature-based detection. The classical evolution moves through three levels.

Oligomorphic

The simplest defence. The malware ships with a small set (typically 2–10) of pre-built decryptor stubs. Each infection picks one. Anti-virus must learn each stub variant separately — but because the set is bounded, eventually the AV catches up.

Polymorphic

The decryptor is generated fresh on every infection by an embedded mutation engine. Each generated stub is functionally identical but byte-different — different register choices, NOP padding, equivalent instruction substitutions. The encrypted payload is unchanged, but the surface the AV scans is constantly new.

Example: instead of always emitting MOV EAX, 0, the engine randomly chooses between MOV EAX, 0, XOR EAX, EAX, SUB EAX, EAX, or AND EAX, 0. All four produce identical CPU state but different bytes.

Metamorphic

The most advanced. The entire body of the malware is rewritten on every replication, not just the decryptor stub. The malware contains its own mini-disassembler and code generator. It reads its own code, transforms it (substitutes equivalent instructions, reorders independent statements, inserts garbage that does nothing), and writes a new version of itself. There is no fixed signature anywhere.

Metamorphic engines were once theoretical curiosities. The Simile and W32/Apparition viruses demonstrated working implementations. Modern crimeware groups now bundle commercial polymorphic packers (Themida, VMProtect) instead of building their own engines, which is why pure metamorphism in the wild is rarer than it was in the 2000s.

What you should be comfortable with after this lesson

• Naming and reasoning about all three landmark cases
• Articulating the inverse relationship between initial-access sophistication and damage
• Distinguishing oligomorphic, polymorphic, and metamorphic evasion at the level of mechanism
• Explaining why metamorphic engines are no longer the dominant defence in modern malware