“##wo. re - v. co [. ] id. challengecf. exe then spawnedcmd. exe to delete itself from disk. adversaries continue to use paste - and - run commands that leverage mshta to reach out to remote resources, and that gives us a detection opportunity. detection opportunity : mshta utilit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
95%
“s name for an activity cluster that uses compromised web sites to trick users into executing malicious code. scarlet goldfinch has also used paste and run since 2025. all four of this month ’ s 2nd place threats currently leverage paste and run for delivery and initial execution.…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
91%
“been around since 2018, originally as a fork of arkei malware. in october 2025, researchers reported an updated version of vidar that has more advanced anti - analysis, data theft, and browser credential extraction capabilities. like several other threats in our top 10 list, the …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1555.003Credentials from Web Browsers
87%
“to steal credentials and other data, it was last seen in our top 10 in september 2022. you can read more about vidar below. this month ’ s top 10 threats to track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
74%
“with esrmnlwrwm in nums set zuzapk to zuzapk & ( character id ( esrmnlwrwm - o ) ) end repeat return zuzapk end kzxrlybpxq red canary and other researchers continue to see both atomic stealer and macsync delivered via paste and run. in february 2026, we saw overlaps with a campai…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1202Indirect Command Execution
71%
“##wo. re - v. co [. ] id. challengecf. exe then spawnedcmd. exe to delete itself from disk. adversaries continue to use paste - and - run commands that leverage mshta to reach out to remote resources, and that gives us a detection opportunity. detection opportunity : mshta utilit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
30%
“intelligence insights : march 2026 highlights from february screenconnect remained at number 1 on this month ’ s top 10 most prevalent threat list. screenconnect is a connectwise product that administrators and adversaries alike use to remotely access and manage devices. similar …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
ScreenConnect stays the course, Mac infostealers surge, and Vidar resurfaces in this month’s edition of Intelligence Insights