"While the structure of the threat landscape remains familiar, the speed, scale, and resilience of adversary operations continue to increase. As attackers place greater emphasis on identity abuse, edge infrastructure and data‑exfiltration‑driven extortion models, organizations must adapt defensive strategies accordingly," Gavin Knapp, head of cyber threat intelligence at Bridewell, wrote in the firm's May 18 report.
Bridewell's Cyber Threat Intelligence Report 2026: what it examined
Bridewell published its Cyber Threat Intelligence Report 2026 on May 18, drawing on the firm's "sustained monitoring of malicious infrastructure, client telemetry, incident response activity, and targeted research." The consulting specialist concluded that attackers are increasingly avoiding traditional, malware-driven techniques in favor of approaches that directly manipulate users and trusted systems to bypass security controls.
ClickFix, FileFix and ConsentFix: attacks that target users and workflows
The report identifies a set of techniques—named ClickFix, FileFix and ConsentFix—that rely on social engineering inside the browser or identity workflows. These methods trick victims into copying commands, approving fake authentication prompts or completing legitimate login processes, allowing adversaries to circumvent endpoint security, multifactor authentication (MFA) and other controls, Bridewell said. Because these interactions occur inside the browser or trusted identity channels, the firm warned they are much harder to detect with conventional tools.
Infostealers, Vidar and the role of rapid data theft
Bridewell flagged infostealers as a "critical enabler" for cybercrime, harvesting credentials and information that can feed ransomware, fraud and other campaigns. The report cites a recent example in which the Australian Cyber Security Centre (ACSC) alerted users earlier this month to a ClickFix campaign designed to spread the Vidar Stealer infostealing malware. The firm also said the ransomware landscape has shifted: rapid data theft has become the primary mechanism for extortion rather than longer, encryption-focused campaigns. The aim, Bridewell wrote, is to reduce response time and increase pressure on victims.
Convergence of cybercrime and nation-state activity; supply chain growth
Bridewell cautioned that traditional barriers between cybercrime and nation-state activity are eroding, increasing the scale, sophistication and unpredictability of attacks—particularly those aimed at critical infrastructure sectors. The report urged cybersecurity leaders to watch several trends over the coming year, listing:
- Increased exploitation of edge devices and identity infrastructure
- Continued growth in supply chain compromise
- Rising activity linked to North Korea and other state-aligned actors
- Ongoing convergence between cybercrime and nation-state operations
What this means for technologists, the ACSC, and end users
Technologists and security teams: Bridewell's findings point to a need to prioritize identity protection and threat-informed defensive measures because attacks increasingly exploit trusted identity workflows and browser interactions that evade endpoint controls.
The Australian Cyber Security Centre (ACSC): the ACSC's public alert earlier this month about a ClickFix campaign spreading Vidar highlights the operational need for timely advisories and user-focused warnings when adversaries exploit social-engineering vectors linked to infostealers.
End users and the general public: because the techniques documented by Bridewell require user interaction—copying commands, approving prompts, completing real logins—the firm argues that user awareness and behaviour are central to risk reduction.
Across the report, Bridewell's public recommendation is clear: "As attackers continue to exploit trusted systems and human behaviour, organizations must move beyond traditional security approaches and focus on identity protection, user awareness and threat-informed defence," Gavin Knapp said. The specific examples in the report—ClickFix-style campaigns, Vidar distribution, and data-exfiltration-driven extortion—underscore that defensive success will depend as much on reshaping workflows and user prompts as on deploying new detection engines.




