A wrapper is the most accurate choice because it describes a technique where a legitimate program is bundled together with a malicious payload so that, when the user launches what appears to be a normal installer or application, both the real software and the malware run. CEH materials commonly explain wrappers in the context of Trojanization: the attacker "wraps" a trusted executable or installer with an additional hidden component. This preserves normal functionality to avoid suspicion while still achieving covert execution of the malicious code. In the scenario, the PDF converter installs and works as expected, but a hidden executable runs silently and begins outbound communication-this is classic wrapper behavior designed to maintain user trust and reduce detection through normal user experience.
The other options do not fit as well. A downloader is malware whose primary purpose is to fetch additional payloads from the network; while outbound communication occurs here, the scenario emphasizes bundling and simultaneous execution with a legitimate installer, not primarily downloading. A packer is used to compress/obfuscate an executable to evade signature-based detection; it changes how a binary looks, but it does not inherently describe combining a legitimate installer with another payload. A dropper is designed to deliver and install malware onto a system, often extracting the payload; however, the hallmark detail here is that the legitimate application runs normally while the malicious component is hidden within the same package, which aligns more precisely with a wrapper/Trojanized installer.
Defensively, CEH recommends controls such as application allowlisting, verifying digital signatures and hashes, using trusted software repositories, endpoint detection and response, and monitoring unusual outbound connections after software installation

According to the Certified Ethical Hacker (CEH) IDS/IPS and Evasion Techniques module, packet fragmentation is a technique attackers use to split malicious payloads into smaller fragments so that signature-based IDS sensors may fail to reassemble and inspect the complete packet.
CEH explains that anomaly-based IDS systems are more effective against fragmentation evasion because they analyze behavioral deviations rather than relying solely on known signatures. Fragmented traffic often deviates from baseline network behavior in terms of packet size, sequencing, and reassembly anomalies.
Option A is correct because anomaly-based detection can identify abnormal fragmentation behavior even if the payload itself does not match known signatures.
Option B is unreliable, as attackers do not use consistent intervals.
Option C is impractical, since legitimate traffic may be fragmented.
Option D is less effective because signature-based IDS systems can be bypassed by fragmentation techniques.
CEH recommends packet normalization and anomaly-based detection as effective countermeasures.

A Rogue DHCP Server attack best fits the symptoms because it directly explains unexpected gateway changes, IP conflicts, and traffic redirection to deceptive portals. In CEH network attack coverage, DHCP is a foundational service that automatically provides clients with IP configuration such as IP address, subnet mask, default gateway, and DNS servers. If an attacker introduces a rogue DHCP server on the same broadcast domain, clients may accept leases from the rogue server-especially if it responds faster than the legitimate DHCP infrastructure. Once that happens, the attacker can push a malicious default gateway or DNS server to victims. This allows redirection of traffic, man-in-the-middle positioning, and phishing-style interception, which matches the "unfamiliar gateway settings" and "misleading login portals" described.
The mention of "temporary IP address conflicts" also aligns: a rogue server can hand out addresses that overlap with legitimate allocations, causing intermittent connectivity issues and failed connection attempts.
While a DHCP starvation attack can create disruption by exhausting the DHCP pool, the key difference is outcome: starvation primarily denies service until a rogue server takes over. Here, the defining observable behavior is not just outage-it is misconfiguration and redirection, which points to the presence of a rogue DHCP server actively issuing malicious leases.
Packet sniffing alone would not change gateway settings, and MAC flooding is aimed at forcing switches to behave like hubs, not issuing IP configuration. Defensive controls include DHCP snooping, port security, network segmentation, and monitoring for unauthorized DHCP offers and anomalous lease patterns.

The correct answer is IMDS Attack. CEH cloud security material explains that cloud instances often obtain temporary credentials from an Instance Metadata Service, commonly called IMDS, which supplies identity and role-based access details to workloads running on the virtual machine. If an attacker gains code execution on the instance, even through a separate web application flaw, the attacker may query the metadata endpoint locally and retrieve temporary credentials associated with the instance role. That is precisely what happens in this scenario: the tester runs a script on the VM, extracts temporary role credentials, and then uses them to enumerate storage and other services within the same cloud account. Wrapping attacks target SOAP message manipulation, while cloud snooper and CP DoS do not match the behavior of harvesting role credentials from local cloud metadata. CEH emphasizes that overprivileged instance roles and exposed metadata access can allow attackers to pivot from a single compromised workload into broader cloud service access. Because the key step is retrieving temporary credentials from the instance metadata service, the best match is IMDS Attack.

The correct answer is A. Creepy because the task is specifically about extracting and analyzing geolocation information (geotags) from publicly shared media and mapping that data to real-world locations to infer employee movement patterns. In CEH-aligned reconnaissance/OSINT workflows, geolocation intelligence is a common element of footprinting because it can reveal sensitive operational details such as office locations, travel routines, meeting venues, home addresses, and patterns of presence/absence. Tools designed for geolocation OSINT help testers identify whether staff are unintentionally exposing location metadata through social media posts, uploaded photos, or other public sources.
Creepy is purpose-built for geolocation reconnaissance: it collects location metadata associated with content and presents results in a way that supports mapping and timeline-style analysis, helping analysts correlate people, posts, and coordinates. This directly supports the goal of evaluating whether employees are disclosing sensitive information about office routines by publishing geotagged images. When used in an authorized assessment, such tooling helps demonstrate risk in a measurable way-for example, showing clusters of posts around a specific building, repeated visits at predictable times, or regular travel routes that could support surveillance, targeted social engineering, or physical intrusion planning.
Why the other options are less suitable: Social Searcher is primarily used for monitoring and searching social media content by keywords, usernames, hashtags, and mentions; it is useful for broad OSINT collection but is not specifically focused on geotag extraction and movement mapping. Sherlock is designed to find a username across many platforms, helping link identities, but it does not specialize in geolocation mapping.
Maltego is a powerful link-analysis platform that can correlate entities (people, domains, emails, social profiles) and can support OSINT investigations, but for the narrow requirement of extracting and mapping geotagged location data from media, Creepy is the most direct and purpose-specific tool.
Therefore, the best tool for this geotagged image movement analysis task is Creepy.