The ClickFix social engineering technique is now the top malware delivery method, according to a new report from ReliaQuest. These attacks trick users into copying a malicious command, then pasting it into a terminal and running it on their computers.
“ClickFix remained the dominant delivery method this period and, for the first time, we observed it expand to macOS, delivering infostealers onto a platform many organizations still monitor less closely than Windows,” the researchers write. “This means ClickFix can no longer be handled as a special case. Training, detection, and triage for it should run continuously on both Windows and macOS.”
ReliaQuest notes that AI tools are enabling threat actors to scale social engineering attacks with very little added effort.
“Adversaries leaned on two strategies: social engineering at scale and attacks on unpatched, internet-facing infrastructure,” the researchers write. “The leading technique ‘ClickFix’ drove the first, shifting delivery from compromised websites to emailed links, while ‘Qilin,’ the period’s most active ransomware operator, continued exploiting unpatched edge devices for mass extortion. What’s more, AI is making social engineering faster, cheaper, and more convincing, accelerating familiar techniques rather than creating new ones.”
Organizations should ensure that their security awareness programs train employees to recognize ClickFix tactics.
“Train users not to paste commands into Run, Terminal, or Script Editor, and simulate ClickFix-style lures on Windows and macOS (like CAPTCHA and verification prompts, ‘paste this to continue’ clipboard steps, and browser-to-shell hand-offs),” the researchers write.
New-school security awareness training can give your organization an essential layer of defense against evolving social engineering attacks. KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
ReliaQuest has the story: https://reliaquest.com/blog/threat-spotlight-whats-trending-top-cyber-attacker-techniques-march-may-2026
