The strongest indicator in this scenario is that multiple compromised hosts are “behaving like zombies,” communicating outbound to a single unfamiliar external IP over high ports, and “silently accept remote instructions” while performing “coordinated background tasks.” In CEH-aligned malware terminology, these are hallmark characteristics of a botnet: a collection of infected endpoints (bots/zombies) under centralized or semi-centralized command-and-control. Worm-like propagation explains how the compromise rapidly expanded across the internal network—using shared folders and stolen credentials for lateral spread—while the “backdoor component” provides persistent remote control functionality once a system is infected. The observed coordination across many hosts strongly suggests the attacker’s goal is not merely individual surveillance of a single machine, but scalable remote control of many machines at once.

Option A, data exfiltration, is plausible in many intrusions, but the question emphasizes orchestration and remote tasking across many endpoints rather than targeted theft from specific repositories. Option B is inconsistent because there is no mention of encryption, ransom notes, or disruption-focused behavior. Option D, a RAT, typically describes remote control of a host, but the scenario’s defining feature is the creation of many “zombies” with coordinated behavior—this aligns more precisely with building a botnet for command and control, which can later be used for data theft, DDoS, spam, or further intrusion operations.

CEH defensive guidance includes monitoring egress traffic anomalies, detecting C2 patterns, segmenting networks to limit worm spread, disabling unnecessary shares, enforcing strong credential hygiene, and using EDR to identify backdoors and lateral movement behaviors.