Highlights from May
Amber Albatross is number 1 on our top 10 most prevalent threat list this month, for the third month running. Amber Albatross is Red Canary’s name for a cluster of activity that starts from an adware program and leads to a pyInstaller EXE with stealer-like capabilities.
We saw increased SocGholish activity last month, enough to return it to the rankings in a tie for 4th with Mimikatz. Another threat that returned to the rankings in May is AsyncRAT, making the list for the first time since September 2024. AsyncRAT split a tie for 7th with three worm threats; Conficker, Gamarue, and Phorpiex.
One threat that’s noticeably missing from our most prevalent threat list is LummaC2. After spending 9 of the past 12 months in the top 10 rankings, May’s disruption of LummaC2’s operations appears to have been successful. It is unclear if this will be a permanent disruption, or if adversaries will stand up new infrastructure so they can resume LummaC2 use.
This month we are debuting a new color bird threat, Mocha Manakin. Mocha Manakin is a Red Canary-named activity cluster delivered via paste and run (aka ClickFix, fakeCAPTCHA), and is our first named paste-and-run threat cluster out of the several we have been tracking since August 2024.
Mocha Manakin is distinct from other paste-and-run clusters because it is followed by the deployment of a NodeJS backdoor that Red Canary is calling NodeInitRAT. You can read more about Mocha Manakin and NodeInitRAT below, as well as in this blog.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for May 2025:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: | Threat description : Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 2 | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬇ 3 | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Month's rank: ⬆ 4* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Month's rank: ⬆ 4* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Month's rank: ⬇ 6 | Threat name: | Threat description : Red Canary's name for a VBS worm that is delivered via an infected USB and uses a printui DLL hijack to deliver a cryptomining payload |
| Month's rank: ⬆ 7* | Threat name: AsyncRAT | Threat description : Open source remote access tool with multiple functions including keylogging and remote desktop control |
| Month's rank: ⬆ 7* | Threat name: Conficker | Threat description : Ancient NetBIOS and USB worm that has plagued the internet since 2008. What is dead may never die. |
| Month's rank: ⬆ 7* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Month's rank: ⬆ 7* | Threat name: Phorpiex | Threat description : IRC-based botnet that spreads via USB worm functionality and also sends spam emails to phish additional users, and has reportedly delivered ransomware and cryptocurrency miners |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Meet Mocha Manakin 
Mocha Manakin, Red Canary’s newest color bird threat, is an activity cluster that leverages a PowerShell loader delivered via paste and run (aka ClickFix, fakeCAPTCHA). The majority of the paste and run activity we’ve observed has led to LummaC2, HijackLoader, or NetSupport Manager—although we have seen other payloads as well, including Vidar and XMRig.
Mocha Manakin is distinct because its successful paste and run lure execution is followed by the deployment of a specific NodeJS backdoor that Red Canary calls NodeInitRAT. Once this backdoor is deployed, the adversary can conduct domain reconnaissance, typically enumerating principal names and general domain details.
Mocha Manakin has overlaps in activity related to Interlock ransomware—a ransomware group that has been active since at least September 2024—as reported by Sekoia.io, including:
- the use of paste and run for initial access
- follow-on delivery of the NodeJS remote access trojan we call NodeInitRAT
- some of the same infrastructure
As of May 2025, Red Canary has not directly observed Mocha Manakin activity progress to ransomware. However, we assess with moderate confidence that unmitigated Mocha Manakin activity will likely lead to ransomware.
To learn more about Mocha Manakin and NodeInitRAT in more detail, see our blog on these topics.
Detection opportunity: Instances of NodeJS spawning Windows Command Processor to add a registry key
The following pseudo-detection analytic identifies instances of NodeJS, node.exe, spawning Windows Command Processor, cmd.exe, to add a registry key. NodeJS-based remote access trojans (RAT), including NodeInitRAT, can use Windows registry keys to establish persistence on a system. While normal behavior for node.exe includes spawning instances of cmd.exe, creating registry run keys with those instances is not.
parent_process == ('node.exe')
&&
process == ('cmd')
&&
deobfuscated_command_includes ('reg add' || 'run')Related Articles
Mocha Manakin delivers custom NodeJS backdoor via paste and run