HP today issued its latest Threat Insights Report, which shows attackers using trusted software, disguised malware and increasingly believable lures to gain access to user devices. The research highlights a growing challenge for both users and defenders as malicious activity becomes harder to distinguish from legitimate behavior.
The report provides an analysis of real-world cyberattacks, helping organizations keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape. Based on the millions of endpoints running HP Wolf Security*, notable campaigns identified by HP Wolf Security threat researchers include:
- Legitimate Remote Access Tools Abused for Backdoor Access: Cybercriminals are abusing applications like LogMeIn and ScreenConnect to take control of victim devices without raising suspicion. Campaigns first used tax year-end phishing emails and fake desktop app downloads – including dating websites – to then persuade users into installing legitimate remote access tools. These tools are controlled by the attackers and help them to blend in with normal IT activity, giving total control over user devices.
- Attackers Preying On Desperate Users Trying to Recover Lost Crypto Wallets: Fake crypto wallet recovery tools are being spread by attackers who claim to be helping users locate lost wallets but instead steal them. Often shared via code-sharing platforms and media download sites, the emoji-filled infostealer scripts appear to be “vibe-coded”, capable of harvesting credentials, wallet and system data before packaging it into archive files for exfiltration.
- ClickFix Campaigns Hide Malware in ‘Audio’ Files: Attackers behind recent ClickFix campaigns are disguising malware as audio files to evade detection. Victims are guided through realistic CAPTCHA prompts on well-designed fake websites, triggering malicious commands that quietly execute disguised payloads in the background.
By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely inside secure containers – HP Wolf Security has insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 60 billion email attachments, web pages, and downloaded files with no reported breaches.
The report, which examines data from January-March 2026, details how cybercriminals continue to diversify attack methods to bypass security tools revealing that:
- At least 11% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.
- .zip files were the most popular malware delivery type (40%), followed by executable files (38%) and PDF documents (11%).
- PDF-based malware increased 3%, with attackers using a wide range of lures such as court documents and bonus payments to create urgency and drive clicks.
Please visit the HP Threat Research blog to view the report.
Frequently Asked Questions
- What is the main finding from HP’s latest Threat Insights Report?
HP’s latest Threat Insights Report found that cybercriminals are increasingly abusing legitimate remote access tools, fake downloads and increasingly believable social engineering lures to take control of users’ PCs. Attackers are disguising malicious activity as normal user behaviour, such as installing trusted tools, to evade detection.
- How are attackers abusing legitimate remote access tools?
Attackers are using trusted remote access applications such as LogMeIn and ScreenConnect as backdoors into victim devices. In the campaigns analysed by HP threat researchers, victims were persuaded to install these tools through tax year-end phishing emails and fake desktop app downloads, including fake dating website downloads. Once installed, the tools gave attackers persistent control while helping them blend in with normal IT activity.
- What other tactics did HP researchers uncover?
HP researchers also found fake crypto wallet recovery tools designed to steal credentials, wallet data and system information. Some of the scripts were emoji-heavy and appeared to be “vibe-coded”, suggesting attackers may be using AI-assisted coding techniques to create parts of their attacks. Researchers also identified ClickFix campaigns in which malware was disguised as audio files and delivered through realistic CAPTCHA prompts on well-designed fake websites.
- Why are these attacks difficult for users and defenders to spot?
These attacks are difficult to spot because they often look like legitimate activity. Remote access tools are widely used by IT teams, CAPTCHA prompts are familiar to users, and phishing lures tied to events such as the end of the tax year can feel timely and credible. This makes malicious behaviour harder to distinguish from normal business activity or routine online interactions.
- What can organizations do to reduce the risk?
HP recommends reducing unnecessary user privileges, controlling which software can be installed, and isolating risky activity such as downloads, unknown links and attachments. The findings also show why organizations should not rely on detection alone, especially when attackers are using trusted software and legitimate-looking workflows to gain access to user devices.
About the Data
This data was gathered from consenting HP Wolf Security customers from January-March 2026, with investigations conducted by the HP Threat Research Team.
Related
This entry was posted on June 11, 2026 at 9:00 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
HP Warns Attackers Are Turning Legitimate Remote Access Tools Into Backdoors
HP today issued its latest Threat Insights Report, which shows attackers using trusted software, disguised malware and increasingly believable lures to gain access to user devices. The research highlights a growing challenge for both users and defenders as malicious activity becomes harder to distinguish from legitimate behavior.
The report provides an analysis of real-world cyberattacks, helping organizations keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape. Based on the millions of endpoints running HP Wolf Security*, notable campaigns identified by HP Wolf Security threat researchers include:
By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely inside secure containers – HP Wolf Security has insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 60 billion email attachments, web pages, and downloaded files with no reported breaches.
The report, which examines data from January-March 2026, details how cybercriminals continue to diversify attack methods to bypass security tools revealing that:
Please visit the HP Threat Research blog to view the report.
Frequently Asked Questions
HP’s latest Threat Insights Report found that cybercriminals are increasingly abusing legitimate remote access tools, fake downloads and increasingly believable social engineering lures to take control of users’ PCs. Attackers are disguising malicious activity as normal user behaviour, such as installing trusted tools, to evade detection.
Attackers are using trusted remote access applications such as LogMeIn and ScreenConnect as backdoors into victim devices. In the campaigns analysed by HP threat researchers, victims were persuaded to install these tools through tax year-end phishing emails and fake desktop app downloads, including fake dating website downloads. Once installed, the tools gave attackers persistent control while helping them blend in with normal IT activity.
HP researchers also found fake crypto wallet recovery tools designed to steal credentials, wallet data and system information. Some of the scripts were emoji-heavy and appeared to be “vibe-coded”, suggesting attackers may be using AI-assisted coding techniques to create parts of their attacks. Researchers also identified ClickFix campaigns in which malware was disguised as audio files and delivered through realistic CAPTCHA prompts on well-designed fake websites.
These attacks are difficult to spot because they often look like legitimate activity. Remote access tools are widely used by IT teams, CAPTCHA prompts are familiar to users, and phishing lures tied to events such as the end of the tax year can feel timely and credible. This makes malicious behaviour harder to distinguish from normal business activity or routine online interactions.
HP recommends reducing unnecessary user privileges, controlling which software can be installed, and isolating risky activity such as downloads, unknown links and attachments. The findings also show why organizations should not rely on detection alone, especially when attackers are using trusted software and legitimate-looking workflows to gain access to user devices.
About the Data
This data was gathered from consenting HP Wolf Security customers from January-March 2026, with investigations conducted by the HP Threat Research Team.
Share this:
Like this:
Related
This entry was posted on June 11, 2026 at 9:00 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.