The correct answer is B. Stealth Virus because the defining characteristic described is hiding malicious presence by intercepting operating system calls and masking changes so that normal tools (including antivirus scans) do not observe the infection. In CEH-aligned malware concepts, stealth viruses are designed to evade detection by concealing modifications to files, boot records, or system areas. They commonly do this by hooking system functions or APIs so that when the OS or a security product requests file contents, sizes, checksums, directory listings, or other metadata, the virus returns clean-looking or original data instead of the infected/modified version. This makes infected files appear to "function normally," while the malware remains active in memory and persists on disk.
The scenario explicitly mentions that "infected files continue to function normally" and that the malware
"conceals its modifications by intercepting operating system calls." That is the classic behavior of stealth techniques: manipulate what the system reports, not necessarily change the outward behavior of the application. The repeated "no threats detected" results also align: signature-based or basic scanning can be blinded when the malware controls the interface through which the scanner reads target files or system structures.
Why the other options are less correct: a polymorphic virus focuses on changing its code/signature between infections to evade signature-based detection, but the key clue here is OS call interception and hiding modifications, not code mutation. A macro virus targets macro-enabled documents and spreads through macro execution in office applications; it is not primarily defined by OS-level call hooking. A cavity virus (spacefiller) hides by inserting itself into unused areas of a file without changing the file size, but the scenario' s emphasis is on intercepting OS calls to conceal changes, which is more directly the stealth-virus behavior.
Therefore, Ryan most likely deployed a stealth virus.

IoT devices that transmit data without encryption expose all communication to interception. CEH explains that attackers can position themselves between the IoT device and cloud service to manipulate or capture traffic. A MitM attack enables interception of commands, credentials, and firmware data due to the absence of TLS protections.

According to CEH v13 Mobile, IoT, and OT Hacking, Advanced Persistent Threat (APT) groups prioritize stealth, persistence, and long-term control. In IoT environments, the most attractive and effective entry point is firmware-level zero-day vulnerabilities.
IoT devices often:
Run outdated or proprietary firmware
Lack regular patching mechanisms
Operate with high privileges
Have minimal monitoring
Exploiting a zero-day vulnerability in firmware allows attackers to gain deep, persistent access that survives reboots and avoids traditional security controls. This aligns directly with APT objectives.
Credential theft (Option B) is common but less reliable for IoT systems. Encrypted MitM (Option C) is complex and less persistent. DDoS (Option D) disrupts services but does not provide control.
CEH v13 explicitly identifies firmware exploitation as the primary APT vector in IoT and OT environments.
Therefore, Option A is correct.

CEH v13 explains that WPA2-PSK security relies on the strength of the pre-shared key. Once the 4-way handshake is captured, the attacker must attempt offline cracking. CEH emphasizes that the dictionary attack is the most efficient and commonly used cracking method because it tests structured wordlists, human-derived passwords, and hybrid permutations, dramatically reducing time compared to full brute force. Brute forcing (Option B) is computationally heavy and often impractical unless the password is extremely short. XSS (Option A) and SQL injection (Option D) have no relevance to WPA2 authentication, which occurs at the wireless protocol level, not the router's web interface. The dictionary attack is highlighted in CEH as the principal technique used with tools like aircrack-ng, hashcat, and pyrit, allowing rapid key testing using optimized GPU or CPU cracking. Thus, Option C is the most effective and CEH-aligned method.

CEH v13 describes Cross-Site Request Forgery (CSRF) as an attack in which an authenticated user ' s browser is tricked into submitting unauthorized actions to a trusted application without the user ' s intent.
CSRF exploits the fact that browsers automatically include stored session cookies when sending requests to a domain the user is logged into. In this scenario, the attacker creates a malicious form that triggers an unwanted funds transfer. Since the application does not validate request origin, enforce CSRF tokens, or require secondary verification, it processes the attacker ' s forged request as if it came legitimately from the victim. CEH emphasizes that CSRF differs from XSS because no malicious script executes on the target website; instead, the attacker leverages the victim's authenticated session. This is distinct from session fixation (Option A), replay attacks (Option B), and XSS (Option D). The described behavior aligns precisely with CSRF exploitation.