Check out Keypoint Intelligence's Cybersecurity page!
HP Inc. has released its June 2025 HP Wolf Security Threat Insights Report, spotlighting the evolving tactics of cybercriminals who are capitalizing on digital fatigue, creative file disguises, and trusted software formats to infiltrate endpoints. The findings—based on real-world attacks that bypassed conventional defenses—highlight the need for enhanced cybersecurity strategies in enterprises.
Click Fatigue Exploited
One of the most prominent threats identified in Q1 2025 involved a sophisticated campaign leveraging spoofed travel booking websites. Cybercriminals set up malicious look-alikes of legitimate platforms like Booking.com, complete with branded visuals and cookie consent pop-ups. The trick? When users clicked “Accept Cookies”, they unwittingly downloaded a JavaScript file initiating a multistage infection chain.
According to HP’s researchers, the downloaded file launched two PowerShell scripts disguised with .mp4 extensions, then executed a .NET binary that compiled additional malicious code on the fly. This led to the installation of XWorm—a potent remote access trojan (RAT) capable of stealing data, spying through webcams and microphones, and giving full control of the infected system to the attacker. What makes this tactic particularly effective isn’t its complexity, but rather its timing and psychological manipulation. As Patrick Schläpfer, Principal Threat Researcher at HP, noted, “Since the introduction of privacy regulations such as GDPR, cookie prompts have become so normalized that most users have fallen into a habit of ‘click-first, think later’.”
Malware Masquerading as Windows Folders
HP also exposed a new social engineering method involving Windows Library files (.library-ms) to deliver malware. These files, typically used to aggregate content from various directories, were manipulated to point to online WebDAV folder shares. When opened, they displayed what looked like legitimate folders with names such as “Documents” or “Downloads,” but in fact led victims to malware hidden behind a seemingly innocuous PDF icon. Upon execution, these fake PDFs launched a batch of obfuscated scripts that deployed trojans such as DCRat, AsyncRat, and again, XWorm. This technique added another layer of deception by embedding malicious scripts into obscure formats like SVG and library files, making detection by traditional e-mail gateways exceedingly difficult.
In another campaign identified by HP’s research, attackers used PowerPoint presentations to trick users. The slide opened automatically in full-screen mode and displayed a supposed “purchase order” with a link and password. Clicking the link downloaded a password-protected ZIP file from GitHub, containing a VBScript and an executable. Once opened, the script executed a GitHub-hosted payload, culminating in the deployment of XRed Backdoor and LodaRAT malware. XRed Backdoor allowed attackers to exfiltrate data and issue remote commands via C2 servers, while LodaRAT harvested credentials, cookies, and could activate cameras and microphones—demonstrating the increasing use of legitimate platforms like GitHub and Dropbox for malware delivery.
Information Theft on the Rise
Further illustrating the threat landscape's diversity, HP researchers documented a campaign using fake PDF errors to distribute the Rhadamanthys Stealer (an advanced malware family sold on the dark web). Victims were encouraged to open the document in a web browser, leading them to a JavaScript file hosted on a Microsoft Azure subdomain. Once executed, it launched a PowerShell script, installed persistence mechanisms, and injected the payload into a trusted .NET process.
Similarly, the Divulge Stealer payload was delivered through a malicious Word document, which relied on VBA macros to extract and execute a Base64-encoded .NET binary. The malware harvested extensive data—ranging from crypto wallet information to Discord tokens and browser credentials—and exfiltrated it through a Discord channel. Despite the rudimentary delivery method, the tactic was highly effective at siphoning sensitive information and maintaining persistence through startup folders and scheduled tasks.
From a delivery perspective, archive files (RAR, .ZIP, .7Z, etc.) emerged as the top vector in Q1, accounting for 38% of threats. That is up 5 percentage points from HP’s Q4 2024 report findings. Executables and scripts followed (34%), while documents like Word and Excel files contributed 8% and 6%, respectively. The occurrences of malicious PDFs as a delivery method held steady at 10%.
Notably, MSI installers surged in use, jumping from 25th to 17th in popularity. This spike was largely due to the proliferation of ChromeLoader malware campaigns, which exploit recently issued code-signing certificates to bypass Windows defenses. Often distributed via spoofed software sites or malicious ads, these installers appeared legitimate to users and systems alike.
Email remained the most prevalent malware delivery channel, responsible for 62% of threats in Q1—a nearly 10% jump from the previous quarter. HP noted that at least 12% of malicious these e-mails had successfully bypassed one or more e-mail security gateways. Web downloads accounted for 23%, while 15% came from other sources, such as removable media infected with malware.
Keypoint Opinion
HP’s emphasis on isolating high-risk actions, such as opening untrusted attachments or clicking suspicious links, offers a blueprint for defending against today’s agile and increasingly psychological cyber threats. And the Q1 2025 report from HP underscores a concerning trend: Attackers no longer need highly sophisticated exploits. Simple “social engineering” (tricking a human into perform an action that unleashes the malware) combined with digital desensitization (do you read all those cookie notices?) is so effective. Whether via cookie banners, deceptive folders, or file types that users trust, the common thread is exploiting habitual user behavior.
As Ian Pratt, Global Head of Security for HP, put it, “Often, it’s not sophisticated techniques, but moments of routine that catch users out. The more exposed those interactions are, the greater the risk.”
Stay ahead in the ever-evolving print industry by browsing our Industry Reports page for the latest insights. Log in to the InfoCenter to view research and studies on cybersecurity through our Workplace CompleteView Workflow Advisory Service. Not a subscriber? Contact us for more information.
