Researchers from HP Inc. have published their latest Threat Insights Report, warning about advances in social engineering and evasion techniques that raise the bar in the cybercrime landscape. The company has identified campaigns where attackers craft fake PDF invoices with an impeccable appearance like Adobe Reader, hide payloads within image data, and reuse Lumma Stealer Trojan through hard-to-detect compressed files.
Ultrarealistic PDF phishing
One of the most striking findings in the report is the use of PDF files that mimic Adobe Acrobat Reader, including a fake progress bar that boosts the lure’s credibility. The file contained an embedded reverse shell within a small SVG file, designed to give attackers remote access to the compromised device.
The campaign also included a geofencing to German-speaking regions to limit its global exposure and delay automatic detection in analysis systems.
Malicious code hidden in images
Another technique analyzed was the use of Microsoft Compiled HTML Help (.CHM) files with malicious code embedded within the pixels of images. This approach allowed attackers to execute an XWorm payload across multiple stages.
The infection chain involved PowerShell commands that ran CMD files to wipe evidence after download and execution, exemplifying the abuse of LOTL (living-off-the-land) techniques.
Return of Lumma Stealer
Despite the international police operation in May, Lumma Stealer resurfaced as one of the most active malware families in Q2. The group responsible launched campaigns using IMG files and continues registering new domains to strengthen its infrastructure.
Compressed files: favorites of cybercrime
HP reports that compressed files continue to dominate as the delivery format:
- 40% of threats were distributed via compressed archives (.zip, .rar, .img).
- 35% involved executables and scripts.
- .rar files accounted for 26%, demonstrating that attackers exploit trust in tools like WinRAR to remain under the radar.
Additionally, 13% of malicious emails evaded at least one filtering system, highlighting the sophistication of these campaigns.
Expert opinions
Alex Holland, senior researcher at HP Security Lab, explains:
“Attackers don’t need to reinvent the wheel: they perfect what already exists. We see more LOTL chains, more use of atypical files and minimal scripts that manage to go unnoticed. Their simplicity is what makes them so dangerous.”
Meanwhile, Ian Pratt, global security leader at HP Personal Systems, adds:
“Living-off-the-land techniques are particularly problematic because the line between legitimate activity and attack is blurry. Even top detection methods fail. That’s why a layered defense approach with isolation and containment is crucial.”
A challenge for detection-based defenses
The report makes clear that traditional systems, focused on signature or anomaly-based detection, are not always enough against these kinds of attacks. HP emphasizes that its Wolf Security solution isolates malware in secure containers, allowing observation of its actions without jeopardizing the endpoint.
So far, customers of Wolf Security have interacted with over 55 billion files and links without security breaches.
Conclusion
The evolution of techniques such as ultrarealistic PDF phishing, hidden code in images, and the multi-stage LOTL chain confirms that cybercriminals are refining traditional tools to bypass modern controls. For tech companies and security teams, the challenge isn’t just detection but also containment and isolation before damages become irreversible.
Frequently Asked Questions
What are LOTL techniques and why are they hard to stop?
They rely on abusing legitimate Windows tools like PowerShell or CMD, making malicious activity indistinguishable from normal system processes.
How do these new PDF phishing campaigns differ?
They reach a very high visual realism, including fake loading bars, increasing user trust and the likelihood of opening the file.
What role do compressed files play in current attacks?
They are the most popular delivery vector, representing 40% of threats. Attackers exploit trust in software like WinRAR to smuggle malware into corporate environments.
What is the most effective strategy against these threats?
A layered defense approach, combining monitoring, user education, and especially threat isolation in secure containers to prevent a single misclick from causing a breach.
via: Security news