Organizations often assume that restoring a backup to a patched environment eliminates threats. However, backups encapsulate both data and schema objects, including triggers. A compromised backup, often taken after an initial breach, may contain hidden triggers that reactivate the attacker’s access upon restore. This post explores how malicious triggers in compromised backups can serve as persistence mechanisms for attackers and how to mitigate this threat.