Intelligence Insights: February 2025

Red Canary documents Saffron Starling, a loader observed delivering payloads including Danabot, DarkGate, and Matanbuchus, and highlights a detection opportunity where wscript/cscript/mshta launch PowerShell to download and execute payloads. The report also reevaluates prior ChromeLoader activity, reclassifying a recent campaign as a Browser Assistant variant (a potentially unwanted program) that shares file structure and obfuscation with traditional Browser Assistant but exhibits PDF-themed masquerading, suspicious install paths, and occasional differing signing certificates.