Beware of the PDF invoice virus - ShiftDelete.Net Global

ShiftDelete.net
FOLLOW US

Beware of the PDF invoice virus

HP's PDF report discusses ways to detect malicious activity and the evolution of LOTL techniques. Details...

Beware of the PDF invoice virus

HP has released its latest Threat Analytics Report, revealing how legacy living-off-the-land (LOTL) and phishing techniques have evolved to bypass traditional detection-based security tools. LOTL techniques, which exploit legitimate tools and features built into a computer for attacks, have long been recognized as a core part of threat actors’ toolsets. However, HP Threat Researchers warn that the use of multiple, often unconventional, binary files in a single campaign makes it even more difficult to distinguish between malicious and legitimate activity.

The report provides an analysis of real-world cyberattacks, helping organizations stay on top of the latest techniques cybercriminals use to evade detection and breach computers in the rapidly changing cybercrime landscape. Based on millions of endpoints running HP Wolf Security, the key attacks identified by HP Threat Researchers include:

Fake Adobe Reader Invoice Points to a New Wave of Ultra-Slick Social Engineering Lures
Attackers deployed a reverse shell, a script that gives attackers control over the victim’s device. The script was embedded in a small SVG image disguised as a very realistic Adobe Acrobat Reader file, complete with a fake loading bar, giving the impression of an ongoing download, increasing the chances of victims opening the file and triggering an infection chain. The attackers also geo-restricted the download to German-speaking regions to limit exposure, circumvent automated analysis systems, and delay detection.

Attackers Hide Malware in Pixel Image Files
Attackers used Microsoft Complied HTML Help files to hide malicious code within image pixels. Disguised as project documentation, the files concealed an XWorm payload within the pixel data, which was then extracted and used to execute a multi-step infection chain involving multiple LOTL techniques. PowerShell was also used to execute a CMD file that deleted evidence of the files after downloading and execution.

Resurgent Lumma Stealer Spreads Through IMG Archives
Lumma Stealer was one of the most active malware families observed in Q2. Attackers distributed the malware through multiple channels, including IMG Archive attachments that used LOTL techniques to bypass security filters and exploit trusted systems. Despite a May 2025 law enforcement crackdown, the attacks continued into June, and the group has already begun registering more domains and building infrastructure.

Alex Holland, Principal Threat Researcher at HP Security Lab, comments: “Attackers aren’t reinventing the wheel, but they are evolving their techniques. Exploiting existing system tools, reverse shells, and phishing have been around for decades, but today’s threat actors are sharpening these methods. We’re seeing more and more chaining of ground-dwelling tools and the use of less obvious file types like images to evade detection. Take reverse shells as an example: You don’t have to launch a full-fledged RAT when a simple, lightweight script will achieve the same effect. Because it’s easy, fast, and so simple, it often flies under the radar.”

These attacks demonstrate how creative and adaptable threat actors have become. By hiding malicious code in images, exploiting trusted system tools, and even tailoring attacks to specific locations, they make it difficult for traditional detection tools to detect threats.

HP Wolf Security has exclusive insight into the latest techniques used by cybercriminals by isolating threats that evade detection tools on computers (allowing the malware to safely exist in secure containers to do so). To date, HP Wolf Security customers have clicked on more than 55 billion email attachments, web pages, and downloaded files without any breaches being reported.

The report, which examines data from April to June 2025, details how cybercriminals continue to diversify their attack methods to bypass detection-based security tools:

  • At least 13% of email threats detected by HP Sure Click bypassed one or more email gateway scanners.
  • Archive files were the most popular delivery type (40%), followed by executables and scripts (35%). Attackers continue to use .rar archives (26%), suggesting that attackers are leveraging trusted software like WinRAR to avoid suspicion.

Dr. Ian Pratt, Head of Global Security for Personal Systems at HP Inc., comments: “Existing system tool exploitation techniques are becoming increasingly”This is incredibly challenging for security teams because it’s difficult to distinguish green flags from red ones—attacks driven by legitimate activity. You’re stuck with a tough choice—either tightly restricting activity, creating inconvenience for users and workload for the SOC, or leaving the system open and risking an attacker’s infiltration. Even the best detection methods will miss some threats, so containment and isolation with layered defenses are crucial to trap attacks before they can cause harm.”

PDF

SDN Comments 0 Comments

Comment

HOW TOAll

Related News

The release date for the vivo X300 series announced!
The release date for the vivo X300 series announced!
Tesla granted two new patents: Could shift balance of power
Tesla granted two new patents: Could shift balance of power
OnePlus to unveil Snapdragon 8 Elite Gen 5 device!
OnePlus to unveil Snapdragon 8 Elite Gen 5 device!
OPPO Pad 5 with Dimensity 9400 specifications leaked!
OPPO Pad 5 with Dimensity 9400 specifications leaked!

SDN Network

Sihirli Elma Yeşil Robot Tech Inside Pembe Teknoloji Future Flow Life

SDN.net

1250 BORREGAS AVENUE, #40, SUNNYVALE, CA
94089 ShiftDelete.Net LLC

info@shiftdelete.net

Shiftdelete.Net is a member of the Association of Internet Media and IT Reporters.

Desteklio