Legitimate remote access tools are one in a host of growing exploits
Check out Keypoint Intelligence’s Cybersecurity page!
Cybercriminals have always been good at hiding in plain sight—but the latest HP Threat Insights Report shows how far that tactic has evolved. Attackers are increasingly turning trusted software, familiar web experiences, and timely social engineering lures into convincing routes onto users’ PCs.
Source: HP Inc.
The findings, based on threats isolated by HP Wolf Security from January through March 2026, show that many attacks now look less like obvious break-ins and more like routine activity. A user installs a remote access tool. A website asks them to complete a CAPTCHA. A file appears to be an audio download. A crypto recovery utility promises to help restore a lost wallet. Each step may seem plausible in isolation. Together, they can give attackers the access they need.
Spoofing Popular IT Tools to Gain Entry
HP’s researchers found several campaigns that highlight this shift. One of the most concerning involved legitimate remote access tools such as LogMeIn and ScreenConnect. These tools are widely used by IT teams and tech-support departments to allow remote troubleshooting of issues. In the campaigns HP analyzed, victims were lured through tax year-end phishing emails and fake desktop app downloads, including downloads tied to dating websites. Once persuaded to install the tool, users effectively handed attackers control of their devices.
That is a difficult problem for most malware defense tools to thwart. Traditional security tools are often tuned to spot clearly malicious software. But when an attacker uses a real, digitally signed, widely used remote support application that’s launched by the authenticated PC user, the threat is more difficult to recognize. The activity may resemble legitimate IT administration, even though the person behind the keyboard is a criminal.
Catching People When They Are Vulnerable
The report also highlights another increasingly common theme of exploiting people in moments of urgency or desperation. For example, HP researchers uncovered fake crypto wallet recovery tools. These tools claimed to help users recover lost wallets, but were built to steal credentials, wallet data, and system information. Some of the scripts were emoji-heavy and appeared to be “vibe-coded,” suggesting that attackers may be using AI-assisted development techniques to assemble parts of their campaigns more quickly.
Image created with ChatGPT.
HP also observed ClickFix campaigns that disguised malware as audio files. Victims were guided through realistic CAPTCHA prompts on polished (but scam) websites, which then triggered malicious commands in the background. The approach is effective because it borrows from familiar web behavior. Users are used to CAPTCHA checks. They are used to following prompts to access content. They may not realize that the instructions are leading them to execute code.
Across these examples, the common thread is credibility. The attackers are not relying only on suspicious attachments or crude phishing pages. They are using the language, tools, and workflows people already trust.
Notably, HP’s data says more than 10% of email threats identified by the HP Sure Click tool had bypassed one or more email gateway scanners. That is a reminder that gateway filtering, while valuable, is not sufficient on its own. The report also found that compressed .zip files remained the most popular malware delivery type, accounting for 40% of observed malware delivery. Executable files followed at 38%, while PDF documents accounted for 11%. HP noted that PDF-based malware increased by three percentage points compared to the previous quarter, with attackers using lures such as court documents and bonus payments to create urgency and encourage clicks.
Alex Holland, Principal Threat Researcher at HP Security Lab, put it plainly: “These attacks do not look like break-ins. They look like business as usual.”
Keypoint Intelligence Opinion
The future of endpoint defense will depend less on assuming every threat can be spotted in advance and more on containing risky activity before it can cause harm. That is why organizations should focus on reducing unnecessary user privileges, controlling software installation and isolating risky activity such as downloads, unknown links, and attachments.
Those recommendations may sound basic, but they directly address the tactics HP observed. If users cannot install unauthorized remote access tools, attackers lose a key route to persistence. If risky downloads open in isolated environments, malware has fewer opportunities to affect the wider system. If users operate with only the privileges they need, a compromised account or device is less damaging. Organizations need to adapt just as quickly, especially when the backdoor may look like a legitimate tool doing exactly what it was designed to do.
Stay ahead in the ever-evolving print industry by browsing our Report Store for the latest insights. Log in to the InfoCenter to view cybersecurity research through our Workplace CompleteView Advisory Service. Not a subscriber? Contact us for more information.