Powered by MOMENTUMMEDIA
For breaking news and daily updates, subscribe to our newsletter

Report: ClickFix spear-phishing technique tops Q2 malware charts

ClickFix was the dominant form of malware delivery into enterprise environments between March and May, while the Qilin ransomware group led extortion operations.

Mon, 06 Jul 2026
Report: ClickFix spear-phishing technique tops Q2 malware charts

The top three malware deployed over the second quarter of 2026 changed drastically, with three new strains replacing the first quarter’s top contenders.

At the same time, however, one delivery technique clearly remained the most favoured, proving – according to cyber security firm ReliaQuest – that network defenders need to focus less on tracking specific malware families, but instead on tracking how it is being delivered.

“ClickFix is a social-engineering technique, not a malware family. It tricks users into pasting attacker-supplied commands into trusted system dialogues, bypassing file- and email-based defences,” ReliaQuest’s Threat Research Team said in a recent blog post.

 
 

“We measure its prevalence through the MITRE ATT&CK techniques it drives, where it leads initial access and much defence-evasion activity. Among this period’s charted families, NetSupport RAT is its clearest payload; Gamarue and Raspberry Robin instead spread through removable media.”

NetSupport RAT is a weaponised version of the popular – and legitimate – NetSupport Manager remote-support tool, often deployed via ClickFix methods.

The other two malware families that made the grade in Q2 prove that infected USB drives remain a direct threat to organisations in what ReliaQuest calls a “seasonal USB” pattern.

“USB-based infections tend to rise during predictable periods such as US tax season and Q1 financial reporting,” ReliaQuest said.

“With removable media again among the top initial-access techniques, that pattern now looks persistent rather than temporary.”

Top ransomware families

The Qilin ransomware group was easily the most active during the quarter, sharing nearly 700 leak posts. Qilin, which runs a ransomware-as-a-service operation, was followed by The Gentlemen, DragonForce, Akira, and Inc Ransom – all groups that have been active in the ANZ region.

However, while the groups are different, the attacks follow a remarkably similar attack chain.

“The top-tier increasingly follows the same playbook: initial access through unpatched internet-facing edge devices, Cloudflared (a legitimate software agent that securely connects a local private network to Cloudflare’s global network) tunnels for C2, and single-host SMB encryption,” ReliaQuest said.

“Akira remains a useful example of this playbook, particularly its use of edge-device exploitation, rogue temporary accounts, Cloudflared tunnels, SMB encryption, and ESXi targeting. But the key point this quarter is that these techniques are now being used by multiple groups.”

ReliaQuest did note one possible silver lining, however; defending against one operator now equates to defending against all of them, thanks to the relative ubiquity of these techniques.

Another possible silver lining is that the number of victims being named by ransomware operators has dropped over the quarter. However, again, it’s not all upside. ReliaQuest noted that while incidents are less frequent, the impact is often more damaging, particularly when it comes to professional, scientific, and technical services (PSTS).

“PSTS firms often sit inside client environments or ship software used by many downstream organisations, making one compromise spread far beyond the named victim,” ReliaQuest said.

“Whether through supply-chain attacks, as seen with the Shai-Hulud npm worm, or inherited exposure in mergers and acquisitions (M&A), the real impact extends to clients, dependents, and acquirers.”

You can read the full report here.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Tags:

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.