HP has published its threat reportwhich reveals how traditional techniques such as el living-off-the-land (LOTL) y el phishing are evolving to avoid security tools based on detection. These techniques, which imply the use of legitimate profits from the system itself to execute attacks, have been part of the arsenal of threat actors for years. Now, HP researchers warn that the use of multiple rare binary in the same campaign makes it even more difficult to distinguish between malicious and legitimate activity.
The report analyzes real cyber attacks, and helps organizations to keep up with the most recent tactics that criminals use to evade detection and compromise teams in a constantly changing criminal panorama. Based on millions of endpoints protected by HP Wolf Security, outstanding campaigns include false adobe reader bills, in a new wave of ultra -elaborate social engineering deceptions.
With her, the attackers embedded a Reserse Shell, a script that gives the device remote control to the attacker, in a small SVG image disguised as an Adobe Acrobat Reader file with a false load bar. This simulation increased the chances of the file to open and activate the infection chain. In addition, they limited the discharge to German -speaking regions to reduce exposure and hinder automatic analysis.
The report also includes the existence of hidden malware in pixelated images. In these cases, the attackers used Microsoft HTML compiled files (CHM) to hide malicious code in image pixels, disguised as project documents. This allowed to deliver an XWORD tools that was executed through a stages infection chain, with multiple LOTL techniques. Powershell was also used to execute a CMD file that eliminated evidence after discharge and execution.
Finally, company experts have found the return of Stealer Lumma through IMG image files. Lumma has been one of the most active malware families of the second quarter, distributed through IMG compressed files that used LOTL techniques to evade security filters. Despite a police offensive against the group that controls it that took place in May 2025, the campaigns continued in June, with the group registering new domains and expanding its infrastructure.
The report, which covers data from April to June 2025, details how cybercounts continue to diversify attack methods to evade detection -based tools. 13 % of the email threats identified by HP Sure click eluded at least one link -door scanner.
On the other hand, compressed files were the most common type of delivery (40%), followed by executables and scripts (35%). The .rra files represented 26% of the attacks, which suggests that the attackers exploit software such as Winrar.
Alex Holland, main threat researcher at HP Security Labhe commented that “The attackers are not reinventing the wheel, but they are refining their techniques. The living-off-the-lond, the reverse Shells and the phishing have exist for decades, but current cybercriminals are perfecting them. We see more and more chained LOTL tools and unbrusted file types, such as images, to avoid detection. A complete Trojan is not needed when a simple script can achieve the same effect. It is simple, fast and usually goes unnoticed by its low profile”.
Ian Pratt, Global Security Chief for Personal Systems at HPhe added that “Living-off-the-lond techniques are notoriously difficult to detect because it costs to differentiate between legitimate and malicious activity. It is a difficult choice: to restrict too much and hinder the user or leave the door open and risk an attacker. Even the best detection systems sometimes fail; Therefore, the deep defense approach with containment and isolation is essential to catch threats before they cause damage«.
