In the latest in the saga of compromise involving a max-critical Cisco bug that has been exploited as a zero-day as users waited for patches, several security researchers reported observing a sharp decline in the number of infected Cisco IOS XE systems visible to them over the weekend.

The drop sparked a rnge of theories as to why, but researchers from Fox-IT on Oct. 23 identified the real reason as having to do with the attacker simply altering the implant, so it is no longer visible via previous fingerprinting methods.