HP’s latest Threat Insights Report warns that low-effort, AI-assisted malware campaigns are increasingly bypassing traditional detection tools, even when the underlying techniques are relatively unsophisticated.
Released on 4 March 2026, the report draws on telemetry from endpoints running HP Wolf Security between October and December 2025. Researchers found that attackers are using artificial intelligence primarily to accelerate campaign development and reduce effort, rather than to create more technically advanced malware.
According to HP, threat actors are assembling campaigns using modular, off-the-shelf malware components – a tactic the company describes as “flat-pack malware”. These components, often sourced from hacker forums, allow attackers to rapidly build, adapt and customise campaigns. While lures and final payloads may vary, intermediate scripts and installers are frequently reused across unrelated threat groups.
HP researchers also observed what they refer to as “vibe-hacking” – the use of AI to generate ready-made infection scripts that automate malware delivery. In one campaign, a fake invoice PDF contained a link that triggered a silent download from a compromised website before redirecting the victim to a legitimate platform, such as Booking.com, in an effort to reduce suspicion.
Another campaign involved the Oyster loader malware being distributed through fake Microsoft Teams downloads. Attackers used search engine poisoning and malicious advertisements to direct victims to fraudulent Teams websites. The malicious installer bundle allowed the legitimate Teams application to install while covertly executing the Oyster loader in parallel, giving attackers backdoor access to the compromised device.
HP said that despite being formulaic and relatively low in complexity, these AI-assisted campaigns are proving effective. At least 14 percent of email threats identified by HP Sure Click bypassed one or more email gateway scanners.
Executable files were the most common delivery method, accounting for 37 percent of threats, followed by ZIP archives (11 percent) and DOCX files (10 percent).
Alex Holland, Principal Threat Researcher at HP Security Lab, said attackers appear to be prioritising speed and cost over sophistication.
“What we’re seeing is many attackers are optimising for speed and cost, not quality. They are not using AI to raise the bar; they’re using it to move faster and reduce effort. The campaigns themselves are basic but the uncomfortable reality is they still work,” Holland said.
The findings underscore growing concerns about detection-led security models struggling to keep pace with rapid malware variation enabled by AI-assisted tooling. Dr Ian Pratt, Global Head of Security for Personal Systems at HP, argued that when attackers can generate and repackage malware quickly, signature- and detection-based defences face increasing pressure.
HP’s containment-based approach isolates high-risk activities – such as opening untrusted attachments or clicking unknown links – within secure virtual containers. The company reports that customers have clicked on more than 60 billion email attachments, web pages and downloaded files without reported breaches.
The report concludes that while AI is not necessarily making malware more sophisticated, it is lowering the barrier to entry and increasing the speed at which campaigns can be launched, creating additional strain on traditional enterprise security controls.
You can read the full report here.
