Scarlet Goldfinch’s year in ClickFix

Red Canary analyzes the Scarlet Goldfinch activity cluster (aka SmartApeSG/ZPHP), which uses malicious "paste and run" web-based lures to get victims to execute obfuscated command lines that download HTA/archives and deploy Remcos and NetSupport Manager via DLL sideloading; the report describes multiple evolutionary epochs of the campaign through 2025–early 2026, command-line obfuscation techniques, staging/persistence steps, and detection opportunities.