ClickFix and removable media lead malware delivery methods
Now more than ever, defenders must look for suspicious behavior, not specific malware. Learn how to defend against two trending initial access methods.
When it comes to malware delivery methods, attackers are sticking with what works -- even as they rely on a rapidly revolving door of payloads.
That's according to a report from the ReliaQuest Threat Research Team, which tracks threat activity quarterly. From March 1 to May 31, ClickFix was attackers' preferred malware delivery technique, followed by removable media such as USB drives.
ReliaQuest also monitors the top three malware families involved in confirmed security incidents, a list that has experienced almost complete turnover across the past three tracking periods. For defenders, that trend brings new urgency to old advice: Monitor threat behavior, not malware names.
Here's how security teams can defend against ClickFix and removable-media-based attacks.
Trending attack: How to defend against ClickFix
Defenders can no longer consider ClickFix, a social engineering technique that first appeared in 2024, an emerging or OS-specific threat, ReliaQuest researchers warned. It was the dominant malware delivery channel between March 1 and May 31, and the second most common in the previous three-month reporting period.
In addition to leading initial access, ClickFix also drove nearly a third of defense-evasion activity. And while it has historically targeted Windows users, ReliaQuest researchers recently observed ClickFix delivery of Atomic Stealer malware on macOS systems.
"For enterprises, macOS must no longer be treated as lower risk and now needs the same monitoring and response coverage as Windows," wrote Raigridas Bartkus, the report's author and a cybersecurity specialist at ReliaQuest.
ClickFix tricks users into engaging with prompts -- commonly disguised as legitimate error messages, update notifications and CAPTCHA checks -- and pasting malicious commands into system dialogs. While ClickFix often spreads through compromised websites, ReliaQuest noted it has recently shifted to email-based lures.
"This period we also saw a ClickFix loader use likely AI-generated obfuscation to deliver 'Deepload' malware, burying its real logic under thousands of meaningless variable assignments to defeat static scanning," Bartkus wrote. With AI, he added, attackers can generate new variants more quickly, giving defenders less time to adapt signature-based detection tools.
Malware leaderboard: March 1, 2026 - May 31, 2026
Here are the malware families that dominated ReliaQuest's latest reporting period, along with their delivery methods.
Malware family: Gamarue, also known as Andromeda, a familiar modular worm.
Malware delivery: Spread through removable media, such as USB flash drives.
Malware family: NetSupport RAT, a remote access trojan variant of the legitimate IT remote administration tool NetSupport Manager.
Malware delivery: The payload that ClickFix most often delivered, according to ReliaQuest.
Malware family: Raspberry Robin, a worm often used to provide initial access to ransomware operators.
Malware delivery: Spread through removable media, such as USB flash drives.
ClickFix attacks are now so pervasive and scaling so quickly that continuous training, detection and triage are necessary in both Windows and macOS environments, according to the report. CISOs should consider taking the following steps:
- Train users. By convincing targets to unwittingly run malicious commands on their own devices, ClickFix can bypass many file- and email-based controls. That makes an educated user base the best defense. Train both Windows and macOS users never to paste commands in Run, Terminal or Script Editor.
- Include ClickFix lures in security awareness training. Don't just tell users what to avoid -- show them, using simulated pop-up and email-based lures that mimic ClickFix attacks. Bartkus suggested including CAPTCHA and verification prompts, browser-to-shell hand-offs and "paste-this-to-continue" directives.
- Restrict access to system dialogs. Restrict Run, Terminal and Script Editor access as much as possible, especially for nontechnical users in high-risk roles.
- Monitor for suspicious behavior. Where impractical to restrict access to system dialogs -- for technical users, for example -- security teams should log and alert on RunMRU activity.
"Monitoring for activity such as a sequence of base64 decoding, curl retrieval and PowerShell or osascript execution, for example, would represent reliably anomalous behavior in developer environments," a ReliaQuest spokesperson told Dark Reading, a TechTarget Cybersecurity sister publication.
Because ClickFix attacks often rely on command obfuscation and obfuscated files, defenders should also look for legitimate-seeming files in unusual places.
Trending attack: How to defend against USB-based compromise
Among top initial access paths in March, April and May, removable media came in hot on ClickFix's heels. According to ReliaQuest researchers, two of the top three malware families during the reporting period spread through infected external devices such as USB drives.
The report noted a persistent seasonal trend: USB-based attacks tend to escalate during predictable annual periods, such as tax season and Q1 financial reporting. Presumably, employees use removable drives to transfer files among in-office, at-home and third-party environments, increasing enterprise risk.
ReliaQuest warned that USB-based malware can lead to broader compromise. Raspberry Robin, for example -- one of the reporting period's leading malware families -- often enables initial access for ransomware operators.
According to the researchers, defenders should take the following steps to defend against USB-based attacks.
- Disable USB autorun across the enterprise IT environment.
- Use allowlists to block unapproved removable devices.
- Alert on shortcut (.lnk) or script execution from external drives.
- Approach any confirmed USB-based infection as the possible precursor to a major ransomware attack.
Alissa Irei is senior site editor of Informa TechTarget Security.