<p>When it comes to malware delivery methods, attackers are sticking with what works — even as they rely on a rapidly revolving door of payloads.</p>
<p>That’s according to a report from the ReliaQuest Threat Research Team, which tracks threat activity quarterly. From March 1 to May 31, ClickFix was attackers’ preferred malware delivery technique, followed by removable media such as USB drives.</p>
<p>ReliaQuest also monitors the top three malware families involved in confirmed security incidents, a list that has experienced almost complete turnover across the past three tracking periods. For defenders, that trend brings new urgency to old advice: Monitor threat behavior, not malware names.</p>
<p>Here’s how security teams can defend against ClickFix and removable-media-based attacks.</p>
<section class=”section main-article-chapter” data-menu-title=”Trending attack: How to defend against ClickFix”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Trending attack: How to defend against ClickFix</h2>
<p>Defenders can no longer consider ClickFix, a <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-avoid-and-prevent-social-engineering-attacks”>social engineering</a> technique that first appeared in 2024, an emerging or OS-specific threat, ReliaQuest researchers warned. It was the dominant malware delivery channel between March 1 and May 31, and the second most common in the previous three-month reporting period.</p>
<p>In addition to leading initial access, ClickFix also drove nearly a third of defense-evasion activity. And while it has historically targeted Windows users, ReliaQuest researchers recently observed ClickFix delivery of Atomic Stealer malware on macOS systems.</p>
<p>”For enterprises, macOS must no longer be treated as lower risk and now needs the same monitoring and response coverage as Windows,” <a target=”_blank” href=”https://reliaquest.com/blog/threat-spotlight-whats-trending-top-cyber-attacker-techniques-march-may-2026″ rel=”noopener”>wrote</a> Raigridas Bartkus, the report’s author and a cybersecurity specialist at ReliaQuest.</p>
<p>ClickFix tricks users into engaging with prompts — commonly disguised as legitimate error messages, update notifications and <a href=”https://www.techtarget.com/searchsecurity/definition/CAPTCHA”>CAPTCHA</a> checks — and pasting malicious commands into system dialogs. While ClickFix often spreads through compromised websites, ReliaQuest noted it has recently shifted to email-based lures.</p>
<p>”This period we also <a target=”_blank” href=”https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/” rel=”noopener”>saw</a> a ClickFix loader use likely AI-generated obfuscation to deliver ‘Deepload’ malware, burying its real logic under thousands of meaningless variable assignments to defeat static scanning,” Bartkus wrote. With AI, he added, <a href=”https://www.techtarget.com/searchsecurity/tip/How-AI-malware-works-and-how-to-defend-against-it”>attackers can generate new variants more quickly</a>, giving defenders less time to adapt signature-based detection tools.</p>
<div class=”extra-info”>
<div class=”extra-info-inner”>
<h3 class=”splash-heading”>Malware leaderboard: March 1, 2026 – May 31, 2026</h3>
<p>Here are the malware families that dominated ReliaQuest’s latest reporting period, along with their delivery methods.</p>
<p><b>Malware family:</b> Gamarue, also known as <i>Andromeda</i>, a familiar modular worm.<b><br>Malware delivery:</b> Spread through removable media, such as USB flash drives.</p>
<p><b>Malware family:</b> NetSupport RAT, a remote access trojan variant of the legitimate IT remote administration tool NetSupport Manager.<b><br>Malware delivery:</b> The payload that ClickFix most often delivered, according to ReliaQuest.</p>
<p><b>Malware family:</b> Raspberry Robin, a worm often used to provide initial access to ransomware operators.<br><b>Malware delivery:</b> Spread through removable media, such as USB flash drives.</p>
</div>
</div>
<p>ClickFix attacks are now so pervasive and scaling so quickly that continuous training, detection and triage are necessary in both Windows and macOS environments, according to the report. CISOs should consider taking the following steps:</p>
<ul class=”default-list”>
<li><b>Train users.</b> By convincing targets to unwittingly run malicious commands on their own devices, ClickFix can bypass many file- and email-based controls. That makes an <a href=”https://www.techtarge
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: