WGU E025 CYBERSECURITY OA
SIMULATION: 2026 EDITION :
QUESTIONS AND
RATIONALES/GRADED A+
UPDATE 100% CORRECT
SECTION 1: THREAT LANDSCAPE & ATTACK VECTORS
(Questions 1-12)
Q1. A security analyst observes unusual outbound traffic from a server to an
unknown IP address on port 4444. The traffic occurs every 30 seconds. Which type of
attack is MOST likely occurring?
A) SQL Injection
B) Cross-Site Scripting
C) Beaconing from malware (Correct)
D) ARP poisoning
Rationale: Beaconing is a regular communication pattern from compromised hosts
to C2 servers. Port 4444 is commonly used by Metasploit and other C2 frameworks.
Q2. Which attack technique bypasses traditional email filters by exploiting trust in
legitimate cloud storage platforms?
A) SaaS trust abuse (Correct)
B) SMTP spoofing
C) DNS tunneling
D) Domain fronting
Rationale: Attackers increasingly use legitimate cloud storage (Google Drive,
Dropbox, OneDrive) to host malicious payloads, bypassing URL filters that trust these
domains.
,Q3. A ransomware group demands payment in cryptocurrency but also threatens to
publish stolen data if not paid. This is an example of:
A) Ransomware-as-a-Service
B) Double extortion (Correct)
C) Wiper attack
D) Logic bomb
Rationale: Double extortion combines file encryption with data exfiltration and
public release threats, increasing pressure on victims to pay.
Q4. Which attack targets the machine learning models used in modern security tools
to produce false negatives?
A) Adversarial AI (Correct)
B) Model inversion
C) Training data poisoning
D) Prompt injection
Rationale: Adversarial AI manipulates input data to fool ML models into
misclassification, allowing malware to evade detection.
Q5. An attacker exploits a vulnerability in a third-party library used by a major
software vendor. The malicious code is distributed through automatic updates. This is
known as:
A) Supply chain attack (Correct)
B) Man-in-the-middle
C) Session hijacking
D) Phishing
Rationale: Supply chain attacks compromise the software development or
distribution pipeline, as seen in SolarWinds (2020) and 3CX (2023) incidents.
Q6. What type of attack uses Bluetooth to establish a backdoor connection to mobile
devices?
A) Bluebugging (Correct)
B) Bluesnarfing
C) Bluejacking
D) Wardriving
Rationale: Bluebugging allows full device control and backdoor installation, while
bluesnarfing only steals data.
, Q7. An attacker sends a specially crafted SVG image to a web application that, when
rendered, executes malicious JavaScript. This is an example of:
A) Cross-site scripting via SVG (Correct)
B) CSRF attack
C) XXE injection
D) Buffer overflow
Rationale: SVG files can contain embedded JavaScript; when uploaded and
rendered, the script executes in the victim's browser context.
Q8. Which 2026 emerging threat exploits the transition to post-quantum
cryptography?
A) Harvest now, decrypt later (Correct)
B) Quantum key distribution bypass
C) Grover's algorithm attack
D) Shor's algorithm exploitation
Rationale: Adversaries are collecting encrypted data now with the expectation that
future quantum computers will decrypt it.
Q9. A threat actor gains initial access via a compromised VPN credential purchased
from an infostealer log marketplace. This technique falls under:
A) Initial access brokering (Correct)
B) Credential stuffing
C) Password spraying
D) Kerberoasting
Rationale: Initial access brokers specialize in selling pre-compromised network
access to ransomware groups and other attackers.
Q10. Which attack uses QR codes to deliver malicious payloads in "tap-and-go"
scenarios?
A) Quishing (QR phishing) (Correct)
B) Smishing
C) Vishing
D) Pharming
Rationale: Quishing redirects users to malicious sites or triggers automatic actions
when QR codes are scanned.
Q11. A shadow IoT device (smart thermostat) on the corporate network is
compromised and used to pivot to production servers. This is primarily a failure of:
SIMULATION: 2026 EDITION :
QUESTIONS AND
RATIONALES/GRADED A+
UPDATE 100% CORRECT
SECTION 1: THREAT LANDSCAPE & ATTACK VECTORS
(Questions 1-12)
Q1. A security analyst observes unusual outbound traffic from a server to an
unknown IP address on port 4444. The traffic occurs every 30 seconds. Which type of
attack is MOST likely occurring?
A) SQL Injection
B) Cross-Site Scripting
C) Beaconing from malware (Correct)
D) ARP poisoning
Rationale: Beaconing is a regular communication pattern from compromised hosts
to C2 servers. Port 4444 is commonly used by Metasploit and other C2 frameworks.
Q2. Which attack technique bypasses traditional email filters by exploiting trust in
legitimate cloud storage platforms?
A) SaaS trust abuse (Correct)
B) SMTP spoofing
C) DNS tunneling
D) Domain fronting
Rationale: Attackers increasingly use legitimate cloud storage (Google Drive,
Dropbox, OneDrive) to host malicious payloads, bypassing URL filters that trust these
domains.
,Q3. A ransomware group demands payment in cryptocurrency but also threatens to
publish stolen data if not paid. This is an example of:
A) Ransomware-as-a-Service
B) Double extortion (Correct)
C) Wiper attack
D) Logic bomb
Rationale: Double extortion combines file encryption with data exfiltration and
public release threats, increasing pressure on victims to pay.
Q4. Which attack targets the machine learning models used in modern security tools
to produce false negatives?
A) Adversarial AI (Correct)
B) Model inversion
C) Training data poisoning
D) Prompt injection
Rationale: Adversarial AI manipulates input data to fool ML models into
misclassification, allowing malware to evade detection.
Q5. An attacker exploits a vulnerability in a third-party library used by a major
software vendor. The malicious code is distributed through automatic updates. This is
known as:
A) Supply chain attack (Correct)
B) Man-in-the-middle
C) Session hijacking
D) Phishing
Rationale: Supply chain attacks compromise the software development or
distribution pipeline, as seen in SolarWinds (2020) and 3CX (2023) incidents.
Q6. What type of attack uses Bluetooth to establish a backdoor connection to mobile
devices?
A) Bluebugging (Correct)
B) Bluesnarfing
C) Bluejacking
D) Wardriving
Rationale: Bluebugging allows full device control and backdoor installation, while
bluesnarfing only steals data.
, Q7. An attacker sends a specially crafted SVG image to a web application that, when
rendered, executes malicious JavaScript. This is an example of:
A) Cross-site scripting via SVG (Correct)
B) CSRF attack
C) XXE injection
D) Buffer overflow
Rationale: SVG files can contain embedded JavaScript; when uploaded and
rendered, the script executes in the victim's browser context.
Q8. Which 2026 emerging threat exploits the transition to post-quantum
cryptography?
A) Harvest now, decrypt later (Correct)
B) Quantum key distribution bypass
C) Grover's algorithm attack
D) Shor's algorithm exploitation
Rationale: Adversaries are collecting encrypted data now with the expectation that
future quantum computers will decrypt it.
Q9. A threat actor gains initial access via a compromised VPN credential purchased
from an infostealer log marketplace. This technique falls under:
A) Initial access brokering (Correct)
B) Credential stuffing
C) Password spraying
D) Kerberoasting
Rationale: Initial access brokers specialize in selling pre-compromised network
access to ransomware groups and other attackers.
Q10. Which attack uses QR codes to deliver malicious payloads in "tap-and-go"
scenarios?
A) Quishing (QR phishing) (Correct)
B) Smishing
C) Vishing
D) Pharming
Rationale: Quishing redirects users to malicious sites or triggers automatic actions
when QR codes are scanned.
Q11. A shadow IoT device (smart thermostat) on the corporate network is
compromised and used to pivot to production servers. This is primarily a failure of:
