Cybercriminals have always relied on malware, but HP says many attackers are finding success with something much simpler. Instead of sneaking suspicious software onto a victim’s computer, they are increasingly using legitimate remote access tools that many businesses already trust.
According to HP’s latest Wolf Security Threat Insights Report, attackers have been abusing software such as LogMeIn and ScreenConnect to gain persistent access to victim PCs. The tactic is clever because these applications are commonly used by IT departments and support teams, making them far less likely to raise red flags than traditional malware.
One campaign spotted by HP used tax-related phishing emails to lure victims. Users were directed to what appeared to be legitimate tax documents, but behind the scenes the attackers were installing genuine remote access software that connected back to systems under their control. In other cases, victims were tricked through fake software update pages and bogus desktop app downloads.
That is what makes this trend particularly concerning. The software itself is not malicious. In fact, it is legitimate and digitally signed. The problem is who ends up controlling it.
HP researchers also documented new ClickFix campaigns that disguise malware as audio files. Victims are presented with realistic CAPTCHA challenges on professional-looking websites and instructed to perform a series of actions that ultimately execute malicious code. Rather than exploiting software vulnerabilities, these attacks exploit human trust.
The payload in one of those campaigns was Amatera Stealer, malware designed to harvest browser credentials, cookies, and cryptocurrency wallet information. HP also observed additional malware being delivered after the initial compromise, including remote management tools that give attackers even more control over infected machines.
Perhaps the most interesting finding in the report involves fake cryptocurrency wallet recovery tools. These programs claim to help users recover lost wallets but instead steal them. HP says some of the code appears to have been created using AI-assisted “vibe coding” techniques, citing emoji-filled scripts and coding patterns commonly associated with AI-generated software.
As someone who covers both AI and cybersecurity, I find that part especially fascinating. AI lowers the barrier to entry for software development, and that includes malicious software. Not every cybercriminal is an experienced programmer. Increasingly, they may not need to be.
The report also highlights the continued abuse of PDFs, Excel spreadsheets, and Windows shortcut files disguised as documents. In one ransomware campaign, attackers hid a malicious shortcut behind what appeared to be a harmless Microsoft Word file. On systems where file extensions are hidden, many users would never notice the difference until it was too late.
HP’s data shows email remains the primary malware delivery method, accounting for 57 percent of threats observed during the first quarter of 2026. Executable files and compressed archives continue to dominate as delivery mechanisms, while PDF-based attacks are also on the rise.
The bigger takeaway from the report is that cybercriminals are increasingly hiding in plain sight. Instead of relying solely on obviously malicious software, they are abusing trusted tools, familiar workflows, and legitimate services. That makes modern attacks much harder for ordinary users to spot.
In other words, the next threat you encounter may not look suspicious at all. That is exactly what the attackers are counting on.
Support independent tech journalism
NERDS.xyz is independently owned and operated. If you enjoy my coverage of Linux, AI, hardware, cybersecurity, and tech culture, consider supporting the site on Ko-fi.
Support NERDS.xyz