Attackers are increasingly disguising malicious activity inside everyday business tools and file formats that employees and IT teams typically trust. According to the latest HP Wolf Security Threat Insights Report (Q2 2025), threat actors are refining their strategies to blend in with legitimate processes, making it more difficult for security defenses to keep up.
One of the standout campaigns observed in Q2 2025 involved the XWorm remote access trojan (RAT). Instead of deploying custom malware directly, attackers chained together several built-in Windows utilities. These “living off the land” binaries were used to run commands, transfer files, and decode hidden malware, all while evading many security alerts.
The final XWorm payload was concealed inside the pixels of a genuine image from a trusted website. Attackers then used PowerShell scripts to extract the hidden code, with MSBuild executing the malware. Once complete, attackers gained full remote access and data-stealing capabilities using only tools already present on the system.
“Living off the land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red – i.e. legitimate activity versus an attack… Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm,” explained Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc.
Phishing emails continue to dominate, accounting for 61% of threats reaching endpoints. Attackers are exploiting document formats to trick victims:
- Invoice-themed campaigns used SVG attachments imitating Adobe Acrobat, complete with animations, before luring users into downloading malware. The attack installed a lightweight reverse shell, enabling remote execution and data theft.
- PDF-based lures displayed blurred invoices and download prompts, ultimately dropping a malicious Visual Basic Encoded script hidden in a ZIP archive. This technique stored malware components in the Windows Registry, making detection harder. Victims were infected with MassLogger, a credential stealer, and in some French cases, a secondary RAT named ModiRAT
Attackers are also reviving outdated file formats to bypass detection. Compiled HTML Help (.chm) files, once used for Windows manuals, are being weaponized with embedded scripts to deliver multi-stage infections, often leading to XWorm.
Shortcut files (LNKs) disguised as PDFs inside phishing ZIPs were also spotted. Instead of opening documents, the shortcuts launched malicious code that installed the Remcos RAT. In some campaigns, attackers even embedded payloads inside obsolete Program Information File (PIF) formats to further reduce suspicion.
Despite a major international takedown in May 2025, the Lumma Stealer malware resurfaced just a month later with fresh infrastructure. Attackers distributed it through IMG archives attached to phishing emails. When opened, these acted as virtual drives containing an HTML Application file disguised as an invoice. This eventually executed obfuscated PowerShell scripts, running Lumma Stealer in memory and bypassing disk-based security tools.
The findings underline how cybercriminals exploit trusted tools, realistic lures, and legacy file formats to bypass security. Traditional detection methods based on file signatures are no longer enough. Defense strategies must instead focus on monitoring behavior, persistence techniques, and system tool abuse.
“Attackers aren’t reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods… You don’t have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic,” said Alex Holland, Principal Threat Researcher, HP Security Lab.