Fellowsfellows@cyberplace.social
Apr 10, 2026, 5:56 PM@wdormann if the malicious PDF were blown up in a sandbox, would its activity be detected as abnormal?
@wdormann if the malicious PDF were blown up in a sandbox, would its activity be detected as abnormal?
@fellows
Depends on the sandbox, I suppose.
The vulnerability being exploited merely reads files like ntdll.dll to get version infromation. But the subsequent polling of a remote C2 host is a touch out of the ordinary. At least to me.