Intelligence Insights February 2026

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://redcanary.com/blog/threat-intelligence/intelligence-insights-february-2026/
• Blog Title: Intelligence Insights: February 2026
• Suggested Section: Pentesting Web -> Phishing Methodology (Ai Agent Mode Phishing / Social engineering variants) and/or Windows Hardening -> Useful Windows/PowerShell tradecraft (LOLBAS: WScript/mshta, PowerShell download cradles, WinHttp COM staging). Potentially add a small subsection under "Phishing Methodology" for "ClickFix/FakeCAPTCHA (paste-and-run)" with the observed command patterns and detection notes.

🎯 Content Summary

Title/Scope
Red Canary’s “Intelligence Insights: February 2026” summarizes the top threats observed in January 2026, emphasizing widespread abuse of legitimate Remote Monitoring and Management (RMM) tools (ScreenConnect, NetSupport Manager) and detailing two notable clusters that newly appear in this edition: ClearFake and PS1Bot. This post is not CVE-focused; it documents initial-access and payload delivery chains (phishing, com...

🔧 Technical Details

RMM as an access/persistence primitive (no CVE required): Social engineering (often phishing) can convince users to install legitimate RMM software (e.g., ScreenConnect via MSI). Once installed, the RMM client can call out to attacker-controlled infrastructure (e.g., fedralcourt[.]im) enabling hands-on-keyboard remote control. Treat unexpected RMM installs/executions and suspicious outbound destinations as high-signal indicators of compromise.

“Paste-and-run” (MITRE T1204.004) to replace exploits with user execution: Attackers present fake prompts (e.g., ClickFix/FakeCAPTCHA) that instruct users to copy and paste commands. Those commands commonly bootstrap payload delivery via PowerShell download cradles such as iex(irm ...) or staged downloaders that fetch script text, write it to disk (e.g., %TEMP%\FVL.ps1), and execute it with -ep bypass to evade policy controls.

Compromised-site JavaScript injection...

🤖 Agent Actions

Summary:

• Expanded clipboard/pastejacking page with 2026 ClearFake/Scarlet Goldfinch fake CAPTCHA/ClickFix evolution details, including LOLBAS WScript + SyncAppvPublishingServer abuse, etherhiding hosting paths, and new PowerShell cradle patterns (iex(irm) and WinHttp.WinHttpRequest staging).
• Added targeted detection/hunting guidance for these variants (process lineage, command-line indicators, network/CDN/blockchain beacons, temp .ps1 creation).
• Updated references to include the Red Canary February 2026 intelligence report.

Tests:

• Not run (documentation change).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://redcanary.com/blog/threat-intelligence/intelligence-insights-february-2026/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Phishing Methodology (Ai Agent Mode Phishing / Social engineering variants) and/or Windows Hardening -> Useful Windows/PowerShell tradecraft (LOLBAS: WScript/mshta, PowerShell download cradles, WinHttp COM staging). Potentially add a small subsection under "Phishing Methodology" for "ClickFix/FakeCAPTCHA (paste-and-run)" with the observed command patterns and detection notes.".

Repository Maintenance:

• MD Files Formatting: 948 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0