Question 7 - CompTIA (CYSA+) Analyst+ CS0-003 Real Exam Questions [March 2026 Update]

Q: 7

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

Options

Discussion

Ben F. Feb 14, 2026 9:30 pm

Option D, It's Weaponization, not B-compiling and testing the payload is past recon stage. Trap here is thinking OSINT always means B.

Piya N. Feb 19, 2026 7:33 pm

C/D? Pretty sure D is correct, compiling and testing points to Weaponization, but OSINT mention could trip people up into picking B.

Maya K. Mar 1, 2026 11:59 pm

B tbh, saw a similar question in a practice set once and picked Reconnaissance because of the OSINT mention.

Mason A. Feb 18, 2026 2:20 am

D , official guide and some practice tests cover these kill chain phases well.

Arjun F. Feb 23, 2026 1:53 am

Nah, I think B here. OSINT gathering feels like the trap choice in this scenario.

AishaJ Mar 3, 2026 10:18 am

Avery V. Feb 24, 2026 4:54 am

D . The compiling and testing part puts it squarely in Weaponization, since they're creating the malware with evasion in mind. B is tempting because of the OSINT from forums, but that's just prep data, not the main action. Saw a similar question on a practice set. Anyone disagree?

Chris L. Feb 23, 2026 10:01 am

D or B depending on how you read it. The compiling and testing part is clearly Weaponization (D), but if the focus was just on gathering info using OSINT, then it'd fall under Reconnaissance (B). Here though, since they're building malware based on what they learned, I think D makes more sense. But it's one of those edge Kill Chain cases where wording really matters. Anyone see it different?

QuietEngineer19 Feb 15, 2026 4:00 pm

C. not D

Skyler Feb 18, 2026 9:49 am

C , since they're testing the downloader, feels like they're checking if it can exploit something. I know weaponization is close here but exploitation also covers where malware tries to beat defenses. Not totally sure though.

Be respectful. No spam.

Correct Answer:

Explanation

The threat actor's actions of compiling, testing, and modifying a malicious downloader to evade specific security controls fall directly into the Weaponization stage of the Cyber Kill Chain. This stage is defined by the creation or modification of a malicious payload (the "weapon") that is tailored to the target environment. The actor is using intelligence gathered during reconnaissance to build an effective tool for the subsequent stages of the attack. The primary activity described is the creation of the malicious artifact, not its delivery or execution.

Why Incorrect

A. Delivery: This stage involves transmitting the weapon to the target (e.g., via a phishing email or a malicious website), which has not yet occurred in the scenario.

B. Reconnaissance: This stage focuses on gathering information about the target. While the actor used intelligence, the core action described is building the tool, not gathering the data.

C. Exploitation: This stage involves triggering the malicious code on the victim's system to gain access. The actor is still in the preparation phase on their own systems.

References

1. Hutchins

E. M.

Cloppert

M. J.

& Amin

R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation. In Section 3

"Stage 2: Weaponization

" the authors state

"Weaponization...couples a remote access trojan with an exploit into a deliverable payload." This directly aligns with creating a malicious downloader.

2. NIST. (2016). NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing. National Institute of Standards and Technology. Section 2.3.1 describes the Cyber Kill Chain

where Weaponization is the stage for creating the malicious payload before the Delivery stage.

3. SANS Institute. (2015). The Sliding Scale of Cyber Security. SANS Technology Institute. Page 5 describes the kill chain stages

defining Weaponization as the point where an attacker "chooses a weapon...and packages it for delivery." The act of compiling and testing fits this definition.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE