The 2026 Threat Detection Report playlist
We’re excited to press play on Threat sounds vol. 6, a playlist to accompany the 2026 Threat Detection Report. For the sixth year in a row, we picked a song for each of the most prevalent threats, trends, and ATT&CK® techniques Red Canary observed this past year. Read our liner notes below, and listen to the whole songs on Spotify!
Threats
It was only natural to pair the most prevalent threat of 2025 with the year’s biggest pop star. Amber Albatross’s PyInstaller executable is usually delivered via potentially unwanted programs (PUPs), and she’s here to destroy you.
Even though it executes encoded commands in the background, this AI chat bot does eventually answer your questions down the line.
Like how Kendrick Lamar bakes in subtle digs at Drake into his lyrics, Tampered Chef uses steganographic content to tamper with a victim’s browser settings.
What the hell is NetSupport Manager doing in your environment? This weirdo RMM tool doesn’t belong here.
LummaC2 was one of several malware variants that fell when Operation Endgame geared up in 2025. We thought the KPop Demon Hunters connection was so obvious.
In 2025, Scarlet Goldfinch ditched its signature fake updates lure and got on the paste-and-run bandwagon. Its latest variant has some thorns tucked into its curl command.
As malicious traffic distribution systems (TDS) like KongTuke can cause such a headache in your network, you might put on the soothing tones of Jack Johnson to help you chill out.
Given that SocGholish is known to swap out characters for homoglyphs in its filename lures, we picked an artist that uses only lowercase letters in their liner notes, just to be safe.
There’s something unsettling about this sugary sweet, uncharacteristically upbeat Cure song, and some of MintsLoader’s fake update lures are equally too-good-to-be-true.
To evoke the Rhadamanthys stealer-as-a-service, we conjured another demi god—Maui from Disney’s Moana—for help. You’re welcome indeed.
Everybody everywhere should do their share to detect CleanUpLoader before it leads to ransomware.
Techniques
Attackers feel like they’re on cloud 9 when they get their hands on a pair of cloud account credentials.
The ultimate “forever technique,” PowerShell has made into our top four techniques every year since our first report in 2019.
As blocking cmd.exe completely is untenable, distinguishing Windows Command Shell abuse can make a detection engineer feel like a shell of a human.
Attackers have to reach such great heights to get their hands on data stored in the cloud. Come down now, we say.
Attackers see many victim environments as BYOT–bring your own tools. These non-native utilities can operate stealthily, like ghost hardware.
We’re all lucky that when Beyoncé reached out to James Blake asking to collaborate on a track, her email didn’t get forwarded to an obscure folder like RSS Feeds.
Malicious WMI commands often blend in with legitimate activity, which gives us the Windows blues.
More than half of our top 10 ten threats used paste and run at some point in 2025, and we thought about just cut, cut pasting the lyrics of this song to explain it all.
After gaining access to a victim’s email address, attackers can create rules to move scam-related emails to a hidden place. And nobody breaks rules like Björk.
Attackers might employ obfuscation techniques, but our detection logic knows what they did in the dark.
With an access token in hand, an adversary can trick an application into granting consent for their malicious login.
Bonus tracks: Trends
Adversaries are using AI in many of the same ways defenders are, but you can stay ahead of the robot riot by fighting fire with fire.
Watch your step, kid. You best protect ya LLMs.
Few victims are opting to pay ransom demands after getting hit with ransomware, a rare win in this rich man’s world.
When an attacker can just log in instead of hacking in, stealing data becomes so easy.
Our Vulnerabilities page recounts the life of bugs in various software products like SAP NetWeaver, Microsoft Windows Server Update Services, and SharePoint.
Malware-as-a-service (MaaS) operators offer unsophisticated cybercriminals the opportunity to spin the wheel to execute the info-stealing malware of their choice.
Rabid Beatles fans known as “Apple Scruffs” used to wait outside of the Apple Corps offices for hours, not unlike how stealers like Atomic and MacSync lurk in the depths of your macOS environment.
Inside the devil’s Prada purse is a malicious browser extension or two.
Listen to the wind blow: If any of your software vendors get compromised, you’ll definitely want to break the chain.
Make sure you monitor for monitoring tools like ITarian and PDQ, even ones that are explicitly approved for use in your environment. They may not be the Real McCoy.