Attackers turn trusted tools into cyber weapon

ReliaQuest has published an analysis of the most common cyber attacker techniques observed from December to the end of February. The findings show attackers increasingly targeting trusted tools, user behaviour and identity systems.

BaoLoader was the leading malware family during the period, accounting for 40.9% of incidents tracked by the security firm. ClickFix, a social engineering technique that tricks users into running malicious commands themselves, featured heavily in defence evasion activity and was linked to more than 44% of incidents in that category.

The findings suggest a shift away from attacks that rely on novel malware or complex exploits. Instead, attackers are using software, websites, remote administration tools and single sign-on sessions that users and IT teams already view as legitimate.

BaoLoader's continued lead is notable because malware families often shift position from one reporting period to the next. ReliaQuest linked its persistence to drive-by compromise, in which compromised websites and malicious adverts present payloads as ordinary productivity tools instead of delivering them through suspicious emails.

Searches for financial tools and PDF editors during the US tax season may have widened the pool of potential victims, as these are common BaoLoader disguises. That made ordinary browsing a route to infection, with users more likely to trust software they believed they had found themselves.

Shai-Hulud ranked second in malware incidents at 27.3%. ReliaQuest described it as the most significant new entry during the period, noting that it had evolved beyond its origins as an npm supply-chain worm into cloud credential theft.

Its spread into development environments raises the stakes for companies with software teams and cloud-based workflows. The self-replicating nature of "Shai-Hulud 2.0" also makes containment difficult once it enters a development pipeline.

RMM Shift

Remote monitoring and management tools also featured prominently. ConnectWise ScreenConnect led RMM-related incidents at 25%, but the pattern differed from the usual use of such tools after an attacker had already gained control of a network.

ReliaQuest observed trojanised versions of ScreenConnect being placed directly on hosts, often through drive-by compromise. In those cases, a legitimate remote-access product was altered to connect to attacker-controlled infrastructure rather than standard ConnectWise systems.

BeyondTrust appeared in 16.7% of RMM-related incidents and was linked to exploitation of CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access. Attackers were using compromised instances of the software for both initial access and ongoing remote access within days of disclosure.

Less common tools such as SimpleHelp and Nezha each made up 8.3% of incidents. The report said ransomware groups were turning to lesser-known products that may fall outside the detection rules many organisations have built around more established remote-access software.

Ransomware Tactics

Among extortion and ransomware groups, Qilin and Akira remained the most active, according to the analysis. Both benefited from exploiting unpatched internet-facing systems and from the continuing gap between patch availability and patch deployment.

Qilin accounted for 24.1% of victims named on data-leak sites tracked by ReliaQuest, while Akira accounted for 10.2%. Akira's operations relied on exploiting vulnerable appliances, moving through networks over Remote Desktop Protocol and then deploying ransomware against virtualisation hosts.

ShinyHunters, by contrast, showed how identity theft can have similar effects without network-wide encryption. The group represented 4% of data-leak site listings, but its impact on individual companies was disproportionately high because one stolen SSO session could unlock access to multiple software services.

Its methods included subdomain impersonation, phone-guided adversary-in-the-middle phishing and theft of authenticated sessions. That gave attackers access across email, file storage, human resources platforms, customer relationship management systems and code repositories without relying on malware.

Trust Targeted

The broader conclusion is that trust has become a central attack surface. Attackers are leaning on channels and processes that look routine to users and administrators, from business-themed files and signed executables to SaaS logins and remote support software.

Hidden artefacts, obfuscated files and command obfuscation together represented more than 44% of defence evasion activity. Masquerading was also prominent, including one case in which attackers used a legitimate digitally signed endpoint detection and response executable to load malicious code through DLL sideloading.

That approach makes malicious activity look like normal security software behaviour and can allow attackers to persist even after standard remediation steps such as reinstalling an agent or patching a system. ReliaQuest said organisations should watch for unusual module loads in trusted security processes rather than relying only on reputation-based alerts.

For defenders, the report recommended more targeted user awareness training around ClickFix, strict allowlists for RMM software, centralised SaaS audit logging and emergency patch timelines for internet-facing appliances. It also urged companies to treat legitimate tools and identity sessions as assets that need active monitoring, not just convenience features for employees and IT teams.