{
	"id": "c912576d-04dd-43c9-ad2e-ebfec1d4bf7b",
	"created_at": "2026-04-06T01:32:34.983261Z",
	"updated_at": "2026-04-10T03:20:33.370575Z",
	"deleted_at": null,
	"sha1_hash": "3d0279b0f663980c2f96892edbee8ed035b70922",
	"title": "Intelligence Insights: July 2025",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94962,
	"plain_text": "Intelligence Insights: July 2025\r\nBy chris.brook@redcanary.com\r\nPublished: 2025-07-24 · Archived: 2026-04-06 00:25:59 UTC\r\nIntelligence Insights: July 2025\r\nCleanUpLoader compromises, Poseidon Stealer debuts, and LummaC2 lives again in this month’s edition of\r\nIntelligence Insights\r\nJuly 24, 2025\r\nHighlights from June\r\nAmber Albatross kept its number 1 spot on our top 10 most prevalent threat list this month. Amber Albatross is\r\nRed Canary’s name for a cluster of activity that starts from an adware program and leads to a pyInstaller EXE with\r\nstealer-like capabilities. This month it shares a tie with Mimikatz, a credential dumping tool often used by red\r\nteams—although after additional review, Mimikatz’s increased detection volume appears to be due to unmarked\r\ntesting and security researcher use.\r\nTying for third with SocGholish and making its debut in the top 10 is CleanUpLoader. Also known as\r\nOyster/Broomstick, CleanUpLoader is a loader designed to maintain persistence and deliver additional threats. It\r\nhas previously been leveraged by ransomware-linked actors, reportedly including adversaries that have deployed\r\nRhysida ransomware. Red Canary and other researchers saw a significant uptick in CleanUpLoader activity early\r\nthis June due to its use as a payload in malvertising campaigns. You can read more about this threat below.\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nPage 1 of 7\n\nAlso making its debut on our top 10 list, tying for eighth place, is Poseidon Stealer. Poseidon, an information\r\nstealer, targets macOS systems to obtain sensitive data from browsers, extensions, and other applications using\r\nAppleScript code. It’s a member of the macOS stealer family that shares similarities with Atomic Stealer (aka\r\nAMOS) both in its codebase and functionality. We began tracking the activity as Poseidon at the beginning of June\r\n2025.\r\nOur research is ongoing, and it may be that after additional assessment, some of the activity we tracked as\r\nPoseidon will be better tracked as Odyssey retroactively due to Poseidon’s recent sale and rebrand. Numerous\r\nversions and frequent rebranding make differentiating between variations in the malware family challenging for\r\ndefenders. That said, the similarities also lend to similar detection analytics working across variations on the\r\ntheme. Based on our observations and third-party reporting, the recent uptick in activity is driven by an increase in\r\nthe use of the macOS version of paste and run for initial access and execution.\r\nAbsent from last month’s list, LummaC2 reappeared on the top 10 list as another tie for eighth. Our observations\r\nindicate some LummaC2 infrastructure remains functional after the takedown earlier this year, and other\r\nresearchers have seen continued low-level use of LummaC2 since late May 2025. As has been the case after other\r\nhigh-profile takedowns, some return of a threat at a lower volume is not atypical, and this appears to be the case\r\nfor LummaC2 as well.\r\nThis month’s top 10 threats\r\nTo track pervasiveness over time, we identify the number of unique customer environments in which we observed\r\na given threat and compare it to what we’ve seen in previous months.\r\nHere’s how the numbers shook out for June 2025:\r\nMonth's\r\nrank\r\nThreat name Threat description\r\nMonth's\r\nrank:\r\n➡ 1*\r\nThreat name:\r\nAmber Albatross\r\nThreat description :\r\nRed Canary-named cluster of activity that starts from an adware program\r\nand progresses through several stages to a pyInstaller EXE with stealer\r\ncapabilities\r\nMonth's\r\nrank:\r\n⬆ 1*\r\nThreat name:\r\nMimikatz\r\nThreat description :\r\nOpen source tool that dumps credentials using various techniques\r\nMonth's\r\nrank:\r\n⬆ 3*\r\nThreat name:\r\nCleanUpLoader\r\nThreat description :\r\nA loader designed to maintain persistence and deliver additional threats\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nPage 2 of 7\n\nMonth's\r\nrank\r\nThreat name Threat description\r\nMonth's\r\nrank:\r\n⬆ 3*\r\nThreat name:\r\nSocGholish\r\nThreat description :\r\nDropper/downloader that uses compromised WordPress sites to redirect\r\nusers to adversary infrastructure posing as necessary browser updates to\r\ntrick users into running malicious code\r\nMonth's\r\nrank:\r\n⬆ 5*\r\nThreat name:\r\nCharcoal Stork\r\nThreat description :\r\nSuspected pay-per-install (PPI) provider that uses malvertising to deliver\r\ninstallers, often disguised as cracked games, fonts, or desktop wallpaper\r\nMonth's\r\nrank:\r\n⬆ 5*\r\nThreat name:\r\nMetasploit\r\nFramework\r\nThreat description :\r\nPenetration testing framework used to probe systematic vulnerabilities on\r\nnetworks and servers to conduct post-exploitation activity on\r\ncompromised hosts\r\nMonth's\r\nrank:\r\n⬇ 5*\r\nThreat name:\r\nScarlet Goldfinch\r\nThreat description :\r\nActivity cluster that uses a distribution scheme similar to SocGholish and\r\nuses JScript files to drop NetSupport Manager onto victim systems\r\nMonth's\r\nrank:\r\n⬇ 8*\r\nThreat name:\r\nConficker\r\nThreat description :\r\nAncient NetBIOS and USB worm that has plagued the internet since\r\n2008. What is dead may never die.\r\nMonth's\r\nrank:\r\n⬆ 8*\r\nThreat name:\r\nImpacket\r\nThreat description :\r\nCollection of Python classes to construct/manipulate network protocols\r\nMonth's\r\nrank:\r\n⬆ 8*\r\nThreat name:\r\nLummaC2\r\nThreat description :\r\nInformation stealer sold on underground forums and used by a variety of\r\nadversaries; may also be used as a loader for additional payloads\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nPage 3 of 7\n\nMonth's\r\nrank\r\nThreat name Threat description\r\nMonth's\r\nrank:\r\n⬇ 8*\r\nThreat name:\r\nNetSupport\r\nManager\r\nThreat description :\r\nLegitimate remote access tool (RAT) that can be used as a trojan by\r\nadversaries to remotely control victim endpoints for unauthorized access\r\nMonth's\r\nrank:\r\n⬆ 8*\r\nThreat name:\r\nPoseidon Stealer\r\nThreat description :\r\nStealer targeting macOS systems to obtain sensitive data from browsers,\r\nextensions, and other applications using AppleScript code\r\nMonth's\r\nrank:\r\n⬇ 8*\r\nThreat name:\r\nTangerine Turkey\r\nThreat description :\r\nRed Canary's name for a VBS worm that is delivered via an infected USB\r\nand uses a printui DLL hijack to deliver a cryptomining payload\r\n⬆ = trending up from previous month\r\n⬇= trending down from previous month\r\n➡ = no change in rank from previous month\r\n*Denotes a tie\r\nCleanUpLoader makes a mess with malvertising\r\nCleanUpLoader (aka Oyster/Broomstick) is a loader designed to maintain persistence and deliver additional\r\nthreats. It made its first appearance in our top 10 this month due to a major malvertising campaign in June 2025.\r\nIt’s previously been leveraged by adversaries that went on to deploy Rhysida ransomware, which makes it\r\nimportant to detect and remediate as early as possible.  This is not the first time CleanUpLoader has been\r\ndistributed in widespread malvertising and search engine optimization (SEO) poisoning operations; a similar\r\ncampaign in June 2024 used malicious ads for fake downloads of Microsoft Teams and Google Chrome.\r\nThe activity we observed in June 2025 was primarily due to users attempting to download PuTTY or WinSCP,\r\nlegitimate and widely used Windows tools for secure remote access and file transfer. By targeting IT personnel,\r\nthe adversaries could possibly have higher privileges if they were to gain access to an endpoint via this campaign.\r\nAfter searching for the legitimate software, users are tricked into clicking on an SEO-optimized advertisement or\r\ntypo-squatted link that leads to a copied version of the legitimate website.\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nPage 4 of 7\n\nScreenshots from Arctic Wolf\r\nOne example we observed directed users to this malicious site at putty[.]run , a copy of putty[.]org .\r\nputty[.]org above, putty[.]run below\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nPage 5 of 7\n\nThe malicious website feeds users an executable with a name like putty.exe , masquerading as the requested\r\nsoftware, then unpacks and executes CleanUpLoader malware. It’s typically distributed as DLL files that are\r\nexecuted using rundll32.exe , and when executed, leads to a number of behaviors including:\r\nestablishing persistence via scheduled task, for example: schtasks.exe /Create /SC MINUTE /MO 3 /TN\r\n\"Security Updater\" /TR \"C:\\windows\\System32\\rundll32.exe\r\nC:\\users[redacted]\\AppData\\Roaming\\HQXYOCnhJRyac\\twain_96.dll DllRegisterServer”\r\nsystem and domain reconnaissance commands\r\noutbound netconns, often by rundll32.exe , to external C2 infrastructure\r\nRecent CleanUpLoader campaign at-a-glance\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nPage 6 of 7\n\nFortunately for defenders, this behavior has not changed significantly, meaning prior detection analytics for\r\nCleanUpLoader should still be effective. One example is CleanUpLoader’s use of rundll32.exe  in the\r\nscheduled task it creates, which gives us a detection opportunity.\r\nDetection opportunity: Scheduled tasks that use rundll32.exe\r\nThe following pseudo-detection analytic identifies scheduled tasks using rundll32.exe . Adversaries, like those\r\nbehind CleanUpLoader, abuse Rundll32 because it can make it hard to differentiate malicious activity from\r\nnormal operations. Scheduled tasks do not normally use rundll32.exe .\r\nprocess == (schtasks)\r\n\u0026\u0026\r\ncommand_includes ('/create' || 'rundll32')\r\nRelated Articles\r\nSubscribe to our blog\r\nYou'll receive a weekly email with our new blog posts.\r\nSource: https://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nhttps://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2025/"
	],
	"report_names": [
		"intelligence-insights-july-2025"
	],
	"threat_actors": [],
	"ts_created_at": 1775439154,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d0279b0f663980c2f96892edbee8ed035b70922.pdf",
		"text": "https://archive.orkl.eu/3d0279b0f663980c2f96892edbee8ed035b70922.txt",
		"img": "https://archive.orkl.eu/3d0279b0f663980c2f96892edbee8ed035b70922.jpg"
	}
}