What’s Trending: Top Cyber Attacker Techniques, March–May 2025

**ReliaQuest quarterly analysis (Mar–May 2025)**: Attackers are increasingly using social engineering (notably a 'ClickFix' copy-paste trick) and trusted system binaries (MSHTA, RDP) to bypass defenses and deliver malware such as SectopRAT and infostealers like Acreed; ransomware activity has shifted after RansomHub disbanded, driving a 148% surge in Qilin-related listings, while threat actor Scattered Spider resumed targeted operations against executives using sophisticated social engineering, cloud persistence, and on-prem exploitation. The report highlights active, enterprise-impacting campaigns, observable increases in specific TTP usage (MSHTA in 33% of defense evasion incidents), and provides prioritized mitigations including tighter access controls, PowerShell logging, and phishing-resistant authentication.