The September 2025 edition of the HP Wolf Security Threat Insights Report has been released. In the report, notable malware campaigns, trends and techniques are reviewed from HP Wolf Security’s customer telemetry in calendar Q2 2025.
In Q2 2025, the HP Threat Research team identified attackers refining their use of living-off-the-land (LOTL) tools to evade detection. In one campaign that targeted businesses, threat actors chained together multiple LOTL tools, including lesser-known ones, to deliver XWorm malware. The final payload was hidden in the pixels of an image (T1027.003) downloaded from a trusted website, decoded via PowerShell (T1059.001), and executed through MSBuild (T1127.001), enabling remote access and data theft.
HP Sure Click detected attackers targeting German-speaking regions with highly realistic SVG-based (T1027.017) invoice lures to deliver malware in Q2. These emails bypass scanners and mimicked Adobe Acrobat to trick users into downloading malicious ZIP files. The delivered malware is a lightweight JavaScript (T1059.007) reverse shell that establishes persistence, collects system data, and enables remote command execution.
Lumma Stealer was one of the most active malware families observed in Q2. HP Wolf Security found the malware being actively distributed via phishing emails containing malicious IMG archives. These disk images, mounted by Windows as virtual drives, hid HTA files (T1218.005) that launched obfuscated PowerShell commands leading to an NSIS installer. The installer deployed shellcode that unpacks and runs Lumma Stealer. Despite a law enforcement takedown in May 2025, campaigns continued in June and its operators have been rebuilding their infrastructure.
To access the report visit here.
