Late in the evening on April 16, 2026 (UTC), Huntress registered a cluster of high-severity detections on a single workstation, [REDACTED-WRKSTN], in one of our partner environments. The Huntress Managed EDR signals told the SOC a familiar story—a cmd.exe spawning as a service, an smbexec.py-style service-name pattern, a Microsoft Defender quarantine on svchost.exe-labeled Behavior:Win32/RegDump.SA—but the tail of the detection chain was new: a PowerShell one-liner pulling an installer from raw.githubusercontent[.]com/komari-monitor/komari-agent and wiring it up as a SYSTEM service called “Windows Update Service”.