Intelligence Insights: January 2026

Remcos, a commercially available remote access tool frequently abused by adversaries, has been observed rising in use as a payload in campaigns (notably by Scarlet Goldfinch). The report documents delivery via paste-and-run lures, use of LOLBins such as the TCP/IP finger command and forfiles, curl/tar download-and-extract chains, and DLL sideloading into legitimate binaries; it includes example commands and IPs and notes synchronous reporting by multiple researchers that indicate increasing popularity and active exploitation.