Attackers Up Their Game with Ultra-Realistic PDF Invoice Lures, HP Finds

• Latest HP Threat Insights Report uncovers highly polished, faked PDF reader lures, showing how attackers are perfecting visual deception to exploit trust in everyday apps.
• Report uncovered cybercriminals hiding malicious code in pixel image data to infect users, then deleting the evidence to cover their tracks.
• Research show attackers using a combination of "living-off-the-land" tools - i.e. features built into the Windows environment - to evade detection.

PALO ALTO, Calif., 10^th September, 2025 -
HP Inc. (NYSE: HPQ) today issued its latest Threat Insights Report, revealing how age-old living-off-the-land (LOTL) and phishing techniques are evolving to bypass traditional detection-based security tools. LOTL techniques - where attackers use legitimate tools and features built into a computer to carry out their attacks - have long been a staple of the threat actor toolkit. However, HP Threat Researchers now warn that the growing use of multiple, often uncommon, binaries in a single campaign is making it even harder to distinguish malicious versus legitimate activity.

The report provides an analysis of real-world cyberattacks, helping organizations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape. Based on the millions of endpoints running HP Wolf Security¹, notable campaigns identified by HP Threats Researchers include:

• Fake Adobe Reader Invoice Signals New Wave of Ultra-Polished Social Engineering Lures: Attackers embedded a reverse shell - a script that grants attackers control over a victim's device. The script was embedded in a small SVG image, disguised as a very realistic Adobe Acrobat Reader file, complete with fake loading bar - giving the illusion of an ongoing upload, increasing the chances victims will open it and trigger an infection chain. Attackers also geofenced the download to German speaking regions to limit exposure, hinder automated analysis systems and delay detection.
• Attackers Hiding Malware in Pixel Image Files: Attackers used Microsoft Compiled HTML Help files to hide malicious code within image pixels. The files, disguised as project documents, concealed an XWorm payload in the pixel data, which was then extracted and used to execute a multi-step infection chain involving multiple LOTL techniques. PowerShell was also used to run a CMD file that deleted evidence of files once they'd been downloaded and executed.
• Resurgent Lumma Stealer Spreads via IMG Archives: Lumma Stealer was one of the most active malware families observed in Q2. Attackers distributed it through multiple channels, including IMG Archive attachments that use LOTL techniques to bypass security filters and exploit trusted systems. Despite a law enforcement crackdown in May 2025, campaigns continued in June and that the group is already registering more domains and building infrastructure.

Alex Holland, Principal Threat Researcher, HP Security Lab, comments: "Attackers aren't reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today's threat actors are sharpening these methods. We're seeing more chaining of living-off-the-land tools and use of less obvious file types, such as images, to evade detection. Take reverse shells as an example - you don't have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It's simple, fast and often slips under the radar because it's so basic."

These campaigns show how creative and adaptive threat actors have become. By hiding malicious code in images, abusing trusted system tools, and even tailoring attacks to specific regions, they're making it harder for traditional detection tools to spot threats.

By isolating threats that have evaded detection tools on PCs - but still allowing malware to detonate safely inside secure containers - HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 55 billion email attachments, web pages, and downloaded files with no reported breaches.

The report, which examines data from April-June 2025, details how cybercriminals continue to diversify attack methods to bypass security tools that rely on detection, such as:

• At least 13% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.
• Archive files were the most popular delivery type (40%), followed by executables and scripts (35%).
• Attackers are continuing to use .rar archive files (26%), suggesting attackers are exploiting trusted software like WinRAR to avoid raising suspicion.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., comments: "Living off the land techniques are notoriously difficult for security teams because it's hard to tell green flags from red - i.e. legitimate activity versus an attack. You're stuck between a rock and a hard place - lock down activity and create friction for users and tickets for the SOC or leave it open and risk an attacker slipping through. Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm."

Please visit the Threat Research blog to view the report.

About the Data

This data was gathered from consenting HP Wolf Security customers from April - June 2025 with investigations conducted by the HP Threat Research Team.

¹About HP Wolf Security

HP Wolf Security is world class endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. Visit https://hp.com/wolf.