Analysis of the server logs revealed an unusual entry point. The attacker did not exploit a known CVE. Instead, mr.qlq appears to have leveraged a zero-click SVG injection through a third-party support chat widget that had been end-of-life for 14 months. The malicious payload disguised itself as a “customer satisfaction survey” cookie. Once executed, it spawned a reverse shell using a custom PowerShell script named qlq.ps1 .
Incident Response Team Delta Status: Case closed, but eyes open. This report is a work of creative incident analysis. No actual systems were harmed in its writing—only the author’s sense of security. hacked by mr.qlq
No further intrusion has been detected. Yet every sysadmin now double-checks their shadows. Analysis of the server logs revealed an unusual entry point