Legitimate plugin systems in tools like Apache modules and game engines rely on dlopen/dlsym for extensibility, while malware abuses the identical API (and its Windows twin, LoadLibrary/GetProcAddress) to hide imports from static analysis, which is why analysts routinely set a GDB breakpoint on dlsym to catch runtime symbol resolution that never appears in the import table.