On April 12, 2026, endpoint detection flagged an anomalous binary identified as superadmin.exe (referred to in logs as "superadminexe") running on a domain controller (SRV-DC01). The file exhibited behavior consistent with privilege escalation and remote command execution. Initial analysis suggests the executable is either a custom-built backdoor or a renamed penetration testing tool being used maliciously.