Linux and Unix-like malware may abuse /etc/ld.so.preload as a persistence mechanism.
The attacker will add a malicious LD_PRELOAD-like library to this file, which gets loaded whenever a dynamic linked binary is ran on the system. Often, these libraries contain rootkit functionality.