What makes the TelemetryController backdoor stealthy compared to other persistence mechanisms?

This backdoor is particularly stealthy because it abuses a legitimate Microsoft process (`CompatTelRunner.exe`) and a default enabled scheduled task, so it does not raise red flags in most autoruns or startup inspections. Additionally, it works even in a disconnected network state and executes with **System** privileges, allowing full control over the host. Unlike many persistence methods, it does not require adding new scheduled tasks or services—it simply modifies a registry key that is infrequently checked. For analogous techniques that abuse trusted components, see discussions on Backdoor Implementation Using VMware Tools or Transport Agent as an Exchange Backdoor.