HP Inc. said cybercriminals are refining long-standing phishing and malware tactics with increasingly advanced techniques designed to slip past traditional security defenses, including disguising malware as PDF invoices and embedding malicious code in image pixels.
In its latest Threat Insights Report, published Sept. 12 and covering April through June, the Palo Alto-based company said attackers are combining “living-off-the-land” (LOTL) tools — legitimate software features built into Windows — with new forms of visual deception. The result is a surge in harder-to-detect threats that are challenging conventional security systems.
“Attackers aren’t reinventing the wheel, but they are refining their techniques,” said Alex Holland, principal threat researcher at HP Security Lab.
“Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods. We’re seeing more chaining of living-off-the-land tools and use of less obvious file types, such as images, to evade detection.”
The report outlined several notable campaigns. One involved a fake Adobe Reader invoice that embedded a reverse shell script inside a small SVG image, disguised as a PDF file.
The file featured a phony loading bar, creating the illusion of an ongoing upload and increasing the likelihood of victims opening it. Attackers geofenced the malware to German-speaking regions to reduce exposure and hinder automated analysis.
Another campaign saw attackers conceal an XWorm payload within the pixel data of Microsoft Compiled HTML Help files disguised as project documents. The infection chain used PowerShell commands to extract and execute the malware before running scripts that deleted evidence of the files.
Read also: HP targets SMEs, underserved areas in new digital campaign
HP also observed the resurgence of Lumma Stealer, a widely distributed malware family that continued spreading via compressed IMG archives despite a law enforcement crackdown in May. The attackers used LOTL methods to bypass email security filters and are already rebuilding infrastructure, the company said.
The research highlighted how cybercriminals are diversifying file formats to stay ahead of defenses. Archive files were the most popular method for delivering malware in the second quarter, accounting for 40% of incidents, followed by executables and scripts at 35%.
RAR archives, often trusted by users, made up 26% of malicious attachments. At least 13% of email threats detected by HP Sure Click technology bypassed one or more email gateways.
“Living off the land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red – i.e. legitimate activity versus an attack,” said Ian Pratt, global head of security for personal systems at HP.
“You’re stuck between a rock and a hard place – lock down activity and create friction for users and tickets for the SOC or leave it open and risk an attacker slipping through. Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm.”
HP said its Wolf Security platform, which isolates suspicious files in secure containers, has logged more than 55 billion opened attachments, web pages and downloads without reporting a breach. By analyzing threats that evade detection on endpoints, HP said it has a unique window into the shifting tactics of cybercriminals.
The findings highlights the growing sophistication of online attackers who are leveraging trusted tools, disguising malware in everyday file formats, and tailoring campaigns to specific regions to reduce exposure. For enterprises, HP warned, the implication is clear: relying solely on detection-based security tools is no longer enough.
