A years-old Linux and Unix malware operation is changing up its tactics, with a current iteration targeting visitors to adult websites.

ESET detailed “Operation Windigo” in March 2014, noting the campaign had already infected 25,000 Unix and Linux servers. In a preview of a talk he'll give in Australia later this week, Olivier Bilodeau, ESET malware analyst, said the operation's perpetrators started out infecting any IP, but after being ousted, the attackers began exclusively looking at porn sites, according to The Register.

Plus, Bilodeau said, the malware attackers are adopting DevOps techniques to stay ahead of security professionals. For example, the malicious code is not written on an infected server, so ESET had to man-in-the-middle (MitM) the SSH protocol that was running on a Windigo-infected honeypot.

Attackers have used multiple exploit kits, but currently appear to prefer the Rig Exploit Kit