Analysis of the server logs revealed an unusual entry point. The attacker did not exploit a known CVE. Instead, mr.qlq appears to have leveraged a zero-click SVG injection through a third-party support chat widget that had been end-of-life for 14 months. The malicious payload disguised itself as a “customer satisfaction survey” cookie. Once executed, it spawned a reverse shell using a custom PowerShell script named qlq.ps1 .
April 16, 2026 Threat Actor Alias: mr.qlq Severity Level: Critical (Public-facing compromise)
No further intrusion has been detected. Yet every sysadmin now double-checks their shadows.
Incident Response Team Delta Status: Case closed, but eyes open. This report is a work of creative incident analysis. No actual systems were harmed in its writing—only the author’s sense of security.
By Mr.qlq: Hacked
Analysis of the server logs revealed an unusual entry point. The attacker did not exploit a known CVE. Instead, mr.qlq appears to have leveraged a zero-click SVG injection through a third-party support chat widget that had been end-of-life for 14 months. The malicious payload disguised itself as a “customer satisfaction survey” cookie. Once executed, it spawned a reverse shell using a custom PowerShell script named qlq.ps1 .
April 16, 2026 Threat Actor Alias: mr.qlq Severity Level: Critical (Public-facing compromise) hacked by mr.qlq
No further intrusion has been detected. Yet every sysadmin now double-checks their shadows. Analysis of the server logs revealed an unusual entry point
Incident Response Team Delta Status: Case closed, but eyes open. This report is a work of creative incident analysis. No actual systems were harmed in its writing—only the author’s sense of security. The malicious payload disguised itself as a “customer