I recall reading an article where they described daesh methods of communicating with potential recruits. The recruiters would create a new email account on yahoo then create a draft email with instructions on where to go, who to meet, etc. They would never actually send the message, nor use the account for emailing. They would then only give the username/password to the recruits for the account, the recruit would log in, and then just read the message in the drafts folder. So the 'rootkit' probably only looked for 1. New accounts created and were only logged into 1 or 2 times 2. Look at the origin IP of the new account. 3. Look for login access of an account who's origin is wildly different than where it came from when created. Just a theory...