Highlights from February
ScreenConnect remained at number 1 on this month’s top 10 most prevalent threat list. ScreenConnect is a ConnectWise product that administrators and adversaries alike use to remotely access and manage devices. Similar to prior months, the malicious ScreenConnect we saw was delivered via phishing with a variety of lure styles, including party invitations and social security documents. In a few instances, successful phishing lure execution initially delivered a different remote monitoring and management (RMM) tool—we observed Datto, CentraStage, and Syncro—which then went on to install ScreenConnect.
We have a four-way tie for 2nd this month that includes one of last month’s newcomers, ClearFake, and top 10 frequent flier Scarlet Goldfinch. ClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via paste and run. Scarlet Goldfinch is Red Canary’s name for an activity cluster that uses compromised web sites to trick users into executing malicious code. Scarlet Goldfinch has also used paste and run since 2025.
All four of this month’s 2nd place threats currently leverage paste and run for delivery and initial execution.
Sharing in the tie for 2nd are Atomic Stealer and MacSync Stealer. Atomic Stealer (aka AMOS) is designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets. MacSync Stealer is also a macOS threat designed to access similarly sensitive information. This is the highest rank that both Atomic Stealer and MacSync Stealer have reached on our top 10 list, and this also marks MacSync’s first appearance on the list since its top 10 debut in December 2025. You can read more about our recent Atomic Stealer and MacSync observations below.
Vidar made the list in 6th. An infostealer used to steal credentials and other data, it was last seen in our top 10 in September 2022. You can read more about Vidar below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for February 2026:
