Research from HP Wolf Security has found that cyber attackers are continually refining established tactics in order to evade security measures and deceive users.
Living-off-the-land tactics
The HP Threat Insights Report describes an increasing trend in the use of “living-off-the-land” (LOTL) techniques, whereby cybercriminals utilise legitimate tools and features within the operating system to carry out malicious activities. While these techniques are not new, the report highlights that attackers are now combining multiple, less commonly used system binaries in a single campaign, complicating the task of distinguishing between legitimate and malicious behaviour.
The report is based on data collected from millions of endpoints operating HP Wolf Security between April and June 2025. According to the analysis, attackers are also leveraging advanced visual deception to trick users and embedding malicious code in less conspicuous file types, such as images, to bypass traditional security filters.
Notable campaigns analysed
Among the campaigns identified, one featured a fake Adobe Reader invoice with a convincingly realistic upload screen, including a fabricated loading bar, which concealed a reverse shell within an SVG image. This attack allowed remote access to user devices. To further evade detection, attackers limited the download to German-speaking regions, thereby reducing exposure and complicating automated analysis and detection efforts.
Another method detailed in the report involved hiding malware code within the pixel data of Microsoft Compiled HTML Help files. These files, disguised as harmless project documents, contained an XWorm payload that was extracted to execute a multi-step infection chain. The process also utilised PowerShell to run a CMD file that subsequently deleted evidence of the malicious files, making detection and analysis more challenging.
Additionally, the Lumma Stealer malware was highlighted as a significant threat, having been widely distributed via IMG archive attachments. This malware family used LOTL techniques and image-based delivery mechanisms to evade detection and exploit trusted systems. Despite recent law enforcement actions, the report notes that campaigns involving Lumma Stealer continued into June, with threat actors actively registering new domains and expanding their infrastructure.
Expert analysis
Alex Holland, Principal Threat Researcher, HP Security Lab, commented: “Attackers aren’t reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods. We’re seeing more chaining of living-off-theland tools and use of less obvious file types, such as images, to evade detection. Take reverse shells as an example – you don’t have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic.”
The report details several ways in which attackers are using creativity and adaptability. Combining deception techniques with technical measures such as language-based geofencing, they are able to tailor campaigns to specific regions, thus further reducing the likelihood of discovery.
Detection difficulties
The data examined by HP’s threat research team reinforces the challenges faced by security professionals. According to the report, at least 13% of email threats identified by HP Sure Click managed to evade one or more email gateway scanners during the assessment period. Archive files, particularly .rar files, were the most commonly used method for delivering malware, accounting for 40% of observed attacks, closely followed by executables and scripts at 35%. Attackers appear to be leveraging trusted software, such as WinRAR, to deliver infected archives without raising suspicion.
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP, said: “Living off the land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red – i.e. legitimate activity versus an attack. You’re stuck between a rock and a hard place – lock down activity and create friction for users and tickets for the SOC or leave it open and risk an attacker slipping through. Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm.”
HP Wolf Security’s findings show that by isolating threats that have slipped past detection tools, but still allowing malware to operate securely within contained environments, it is possible to gain insight into the latest tactics being deployed by cybercriminals.
Since its deployment, HP Wolf Security customers have clicked on over 55 billion email attachments, web pages, and downloaded files with no reported breaches, according to the report.
(Courtesy: https://securitybrief.com.au/)
