[_slih]

This campaign worked because the operator knew exactly what most detection stacks look for: execution, lateral movement, data exfil. They did none of that. They dropped a loader, confirmed it worked, and left. No behavioral triggers, no alerts, nothing for a SOC analyst to chase.

That's the gap with point-in-time security and checkbox compliance. You run your scan, get a clean report, move on. Meanwhile something like this sits in memory waiting for a buyer. The checklist says "run vulnerability scans quarterly" not "detect dormant in-memory class loaders planted by initial access brokers." Continuous monitoring that baselines normal behavior and flags deviations, even subtle ones like a new JSP file in a path that shouldn't change, is the only way to catch this. But most orgs aren't doing it because their compliance framework doesn't require it.