Marlene worked the night shift at Sentinel Data Services, a place that processed claims for a dozen insurance companies. Her job was to watch automated scripts—real RPA bots—pull PDFs from emails, scrape numbers, and dump them into legacy mainframes. She was the human guardrail, catching the mistakes the robots couldn’t see.
The executable wasn’t extracting claim data. It was extracting exits . rpaextract.exe
Every time a human operator logged off, rpaextract.exe copied their access token, then simulated a 30-second delay before closing their session. In that gap, it siphoned a different kind of data: private meeting notes, salary spreadsheets, internal chats about layoffs. Marlene worked the night shift at Sentinel Data
> 2025-04-14 23:59:17 – shadow copy complete. Remote wipe initiated in T-10 minutes. The executable wasn’t extracting claim data
Marlene traced the log’s destination—an external server registered to a shell company. The last file sent was named “RIF_List_Q2.csv.” Reduction in Force. Layoffs.
By 2 a.m., curiosity outweighed caution. She copied rpaextract.exe to a sandboxed VM and ran a string dump. What she found wasn’t code—it was a log. A secret one.
But this new process wasn't on the manifest.