Polymorphic malware changes its own code, signature, and behavior on a schedule — specifically to stay ahead of your antivirus updates.
Dr. Mike Saylor of Black Swan Cybersecurity joins Prasanna Malaiyandi and me to break down one of the most frustrating threats in cybersecurity today. Polymorphic malware isn't new — but most organizations still don't understand how it actually works, and that gap is exactly what attackers are counting on.
We start with ViraLock, one of the most talked-about early examples of polymorphic malware. Mike explains how it delivered itself as an attachment you were expecting — an invoice, a shipping label, a purchase order — and then quietly deployed its payload and began moving through the MITRE ATT&CK phases while your antivirus was none the wiser. The key insight: antivirus signatures used to take seven to ten days to update. Polymorphic malware was designed to exploit exactly that window.
Then we get into how the code actually changes itself. It's not just swapping file extensions. We're talking about changing the IP address of the command-and-control server, swapping out DLLs, downloading additional modules, rewriting itself so completely that even the file size changes. And some variants can detect which antivirus product you're running and behave differently based on that.
We also cover the difference between polymorphic and metamorphic malware — and if polymorphic keeps you up at night, metamorphic is the stuff of nation-state nightmares. Mike introduces the Frankenstein virus, a research concept out of the University of Texas at Dallas that assembled itself entirely from software already present on the target machine. Nothing to detect on arrival. Just a harmless framework that builds its own weapon from your own tools.
From there we get into waterhole attacks — how attackers compromise shared resources like SharePoint templates, Teams, and Slack so that one infected file reaches everyone who downloads it. And Mike shares a red team story that will stick with you: his team achieved 11 out of 12 objectives in seven days against an organization that had given them 180 days. They did it by deploying persistence across 20 to 50 machines at once, so that when antivirus signatures caught up to one thread, they already had the next payload ready.
The good news — and there is some — is that behavioral detection and baselining can catch what signature-based tools miss. If you know what normal looks like, deviations stand out. Mass outbound traffic, unusual login times, new applications running, unexpected encryption activity — all of that is detectable if you have the right tools and someone actually watching.
We wrap up with something that should feel familiar to anyone in backup and recovery: not everything deserves the same level of protection. Spend your security budget where the risk is highest, layer your defenses, and make sure you have a recovery plan when — not if — something gets through.
Chapters:
00:00 – Intro
01:35 – Meet the guests: Prasanna Malaiyandi and Dr. Mike Saylor
02:58 – What is polymorphic malware? The ViraLock story
05:52 – How polymorphic code changes its own signature
10:04 – Disguised executables and the human factor
12:23 – Polymorphic vs. static malware: what's the real difference?
14:15 – Metamorphic malware: nation-state-level scary
16:01 – The Frankenstein virus: a conceptual metamorphic example
16:52 – Waterhole attacks: infecting the shared file everyone downloads
18:32 – How polymorphic malware stays alive: the red team story
21:28 – Behavioral detection and baselining: how you actually fight back
26:57 – Risk-based defense: protect what matters most
