This detection rule is designed to identify malicious remote thread creation activities associated with the CACTUSTORCH tool. CACTUSTORCH is a remote access tool that can be used by threat actors to execute code on victim machines. The rule captures specific behaviors that indicate the misuse of script hosting applications like cscript.exe, wscript.exe, and mshta.exe to create remote threads. Remote thread creation can be a technique used for stealthy code execution, often bypassing standard protections. The detection focuses on source images that typically would not be expected to perform such operations and targets processes within the SysWOW64 directory, which are indicative of potentially nefarious activity. The rule thus aims to flag any attempts to create remote threads from known legitimate processes, especially in a Windows environment.