The scenario describes an on-device, app-based rooting approach that does not rely on a PC connection, USB debugging, or a bootloader unlock workflow. In CEH mobile platform coverage, this aligns with “one-click” rooting tools that package exploits to elevate privileges directly from user space to root on the device. These tools typically target known vulnerabilities in the Android OS, vendor kernels, or system services to obtain root privileges and then install a management component to maintain elevated access.

KingoRoot is commonly cited in ethical hacking training contexts as a popular one-click rooting solution that can run as an Android application and attempt to root a device without a computer, depending on the device model, Android version, and patch level. This directly matches the prompt: Sofia installs a mobile application, it “exploits a system vulnerability,” and it achieves root “without requiring a PC.” The constraints given, USB debugging disabled and OEM unlock restrictions, make PC-assisted ADB workflows or bootloader-based rooting less feasible, which further supports an exploit-driven, on-device rooting tool.

Magisk Manager is primarily a root management and systemless modification framework and typically assumes the device is already rooted or that the user can patch the boot image and flash it, often requiring bootloader unlock steps that OEM restrictions would block. “One Click Root” is a generic label rather than a specific tool in many CEH-style question banks. RootMaster is another one-click tool, but KingoRoot is the most widely recognized and frequently referenced for direct APK-based rooting in this context.

CEH identifies brute-force cryptanalysis as a method in which an attacker systematically tests every possible key, password, or passphrase until the correct one is found. When an attacker obtains initial bytes from an encrypted container—often referred to as known plaintext—they can use this to validate attempts as the tool iterates through candidate keys. Automated brute-force tools compare decrypted results with known header patterns, file signatures, or expected byte structures to determine when the correct key is reached. This process aligns precisely with brute-force password testing described in CEH cryptography modules. Quantum solving is not part of CEH scope, digest comparison relates to collision attacks, and analyzing output length pertains to padding oracle detection. The correct classification is automated brute-force cryptanalysis.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

The Certified Ethical Hacker (CEH) Cryptography and Quantum Computing section introduces the concept known as “Harvest Now, Decrypt Later”. This threat model describes adversaries capturing encrypted data today, even if they cannot decrypt it immediately, with the expectation that future quantum computers will be able to break currently secure public-key algorithms such as RSA and ECC.

Option A accurately reflects this concept.

Option B describes a method (Shor’s algorithm) but not the threat model itself.

Option C is unrelated to cryptographic attacks.

Option D refers to quantum communication attacks, not classical encrypted data harvesting.

CEH emphasizes post-quantum cryptography as a mitigation strategy.

This scenario is a classic vishing (voice phishing) attempt: the attacker calls employees, impersonates a vendor, and tries to persuade them to disclose sensitive payment information. The most direct, practical countermeasure that employees can apply in every interaction is verifying the requester’s identity before sharing any information. That means using a trusted verification method—such as calling back using an official number from an internal directory/vendor contract, confirming through a known manager or procurement channel, or following an established verification workflow—rather than trusting the caller ID, the caller’s confidence, or claimed affiliation.

Option B is the best answer because it directly breaks the social engineering tactic being used: pretexting (posing as a vendor) relies on getting the victim to accept identity and urgency without validation. If employees consistently verify identity through independent channels, the attacker’s pretext collapses and the request is denied or escalated. This is the most immediate control at the human decision point, where the data disclosure risk occurs.

Why the other choices are less direct:

Security awareness programs (A) are important, but the question asks for the practical step employees must apply in each interaction. Training supports the behavior; it is not the specific action that stops the call from succeeding.

Policies and procedures (C) provide governance and guidance, but the direct operational control during a phone call is still identity verification.

Two-factor authentication (D) protects login processes but does not prevent an employee from verbally disclosing payment details over the phone.

Therefore, the prioritized countermeasure is B. Employees must verify the identity of individuals requesting information.

The technique demonstrated is Elicitation. CEH social engineering coverage explains elicitation as the art of drawing out information from a target through conversation without making direct or obviously suspicious requests. The attacker carefully guides dialogue so the victim voluntarily reveals sensitive details, often believing the discussion is normal, harmless, or professionally relevant. That is exactly what happens here: the person poses as a recruitment consultant, builds rapport through multiple informal interactions, and gradually obtains information about research, timelines, and internal code names. No credentials are requested and no overt trade or reward is offered, so this is not quid pro quo. It is also not baiting, which typically relies on an enticing object or opportunity, nor a honey trap, which usually involves romantic or intimate manipulation. CEH materials emphasize that elicitation is especially dangerous because the victim often does not realize that the attacker’s questions are strategically sequenced to extract valuable intelligence piece by piece. The gradual, conversational, non-confrontational harvesting of sensitive project details in this scenario is the defining pattern of elicitation.

This scenario describes an Android rooting approach where the attacker installs a rooting tool directly on the device as an APK and uses it to exploit vulnerabilities to gain elevated privileges. The key feature that makes this approach effective, as stated in the question, is that it works without requiring a computer connection. That aligns directly with option B: “It is an APK that can run directly on the device without a PC.”

Rooting tools packaged as APKs are effective in environments where physical access is limited to the device itself (or where connecting to a PC is impractical or would raise suspicion). Once installed, such an app can attempt privilege escalation by leveraging known weaknesses in the OS, drivers, or vendor components, aiming to obtain root-level access. From a security assessment standpoint, this demonstrates that mobile devices may be at risk if users can install untrusted applications, if the device is not fully patched, or if application controls (enterprise MDM policies, app allowlisting, unknown-sources restrictions) are weak.

The other options are inconsistent with Android APK-based rooting as described. “Tethered jailbreak” terminology applies to iOS jailbreaking, not Android rooting, and the scenario explicitly says no computer connection is required. Weak SSL validation relates to application-layer transport security issues rather than privilege escalation to root. Bluetooth pairing flaws are a different attack class and are not indicated here; the described method is an on-device exploit chain initiated by installing a rooting APK.

Therefore, the feature that makes this rooting approach effective in the scenario is B: it runs directly on the device as an APK without needing a PC.

CEH v13 explains that a keylogger is a type of spyware designed to capture user input covertly, often storing or transmitting captured data—such as passwords, emails, chat messages, and financial information—to an attacker. Keyloggers can be implemented as software, firmware, or hardware, and they operate silently in the background without affecting system performance, making them ideal for credential theft. CEH categorizes keyloggers under spying and monitoring malware frequently used in the System Hacking phase to escalate privileges or move laterally once credentials are harvested. Unlike rootkits, which hide processes, or ransomware, which encrypts files, a keylogger’s main purpose is passive surveillance. CEH emphasizes how attackers deploy keyloggers post-compromise or use phishing/social engineering to trick victims into installing them. Their covert nature and ability to bypass traditional AV solutions by masquerading as legitimate processes make identifying them crucial during forensics and incident response activities.

A load balancer is the best match because the key mitigation behavior described is distributing incoming traffic across multiple servers to prevent any single system from being overwhelmed. In CEH coverage of availability attacks, one of the most practical architectural defenses against flooding-based DoS and DDoS is to scale horizontally and place a load-balancing layer in front of a server pool. This allows the organization to absorb spikes by spreading connections and requests across multiple backend nodes, improving resilience and maintaining uptime.

The scenario also mentions filtering malicious requests. Modern load balancers commonly provide health checks, rate limiting, connection limiting, and integration with access control rules, and they are often deployed alongside DDoS scrubbing or edge protections. Even when the filtering logic is implemented through integrated security policies or upstream services, the defining characteristic in the prompt is traffic distribution across multiple servers, which is a primary function of load balancing and a common CEH-referenced mitigation strategy for volumetric attacks.

A web application firewall focuses on inspecting and blocking malicious HTTP and application-layer payloads such as injection, request anomalies, and known attack patterns, but it is not primarily responsible for distributing traffic across multiple servers. An IPS can block suspicious patterns and exploit attempts, yet it does not typically provide the core traffic distribution function described. A traditional firewall enforces network-level rules and may help with rate limits, but it does not inherently balance traffic across a server farm. Therefore, the most likely tool in use here is a load balancer.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

The IT team’s action—capping how many requests a single user can make per second and then delaying or dropping aggressive connections—is the defining behavior of rate limiting. In DDoS conditions, especially when the portal is under a surge of automated or abusive traffic, rate limiting enforces a policy that restricts request frequency from a source (such as an IP address, session, API key, or user identifier). This helps preserve availability by preventing any one client (or a small set of clients) from consuming a disproportionate share of application and infrastructure resources.

The key wording in the scenario is that “aggressive connections are delayed or dropped while most legitimate customers continue to use the service.” Rate limiting is designed for precisely this outcome: it introduces friction for abusive traffic patterns while allowing typical user behavior through. Depending on implementation, controls can respond with delays (throttling), temporary blocks, connection resets, or HTTP error responses (for example, “too many requests”) when limits are exceeded. This is commonly applied at the edge (reverse proxy/CDN), load balancer, WAF, or application gateway to reduce pressure on backend services.

Why the other options are not the best match:

Shutting Down Services (B) is an extreme measure that sacrifices availability to stop an attack; the scenario explicitly states service largely continues.

Absorb the Attack (C) refers to scaling capacity or using scrubbing centers/CDNs to handle volume without necessarily restricting individual requester behavior; the described control is specifically per-user request caps.

Degrading Services (D) generally means intentionally reducing functionality or quality (e.g., disabling non-essential features) to keep core services alive; here, the main technique is enforcing request-rate thresholds.

Thus, the countermeasure strategy being used is A. Rate Limiting.

The described activity is most consistent with a Remote Access Trojan (RAT). A RAT is designed to provide an attacker with remote, covert, and persistent control over a compromised system. The scenario explicitly states that after the attachment is opened, the attacker gains “full access to the workstation” and then monitors emails, keystrokes, and local files over an extended period without alerting the user. That combination—remote control plus long-term stealthy monitoring—fits a RAT’s typical capabilities, which often include keylogging, file browsing/exfiltration, screen capture, command execution, and maintaining persistence.

Although spyware can also monitor keystrokes and user activity, spyware is typically described as focusing on surveillance and data collection rather than providing broad interactive remote administration. The scenario emphasizes “full access” and ongoing control, which is more characteristic of a RAT than spyware alone. In many real-world cases, RATs include spyware-like features; however, when the question asks which malware type best matches full remote control and stealth monitoring, RAT is the strongest match.

Why the other options are less suitable:

Botnet (B) refers to a network of infected systems (bots) controlled as a group, often for DDoS, spam, or distributed operations. The scenario focuses on a single workstation being remotely controlled and monitored.

Adware (C) focuses on delivering advertisements and tracking for marketing purposes; it does not align with covert full access and credential monitoring.

Spyware (D) overlaps on surveillance, but it does not inherently imply comprehensive remote administration and control the way a RAT does.

Therefore, the most likely malware type is A. Remote Access Trojan (RAT).