Table of Contents
Threat actors are using novel living-off-the-land (LOTL) tactics to better evade detection, according to HP Wolf’s Q2 2025 Threat Insights Report.
These tactics include the growing use of multiple, often uncommon binaries in a single campaign and novel uses of image files, making it harder for security teams to distinguish between malicious and legitimate activity.
Alex Holland, a principal threat researcher at HP Security Lab, explained: “We’re seeing more chaining of living-off-the-land tools and use of less obvious file types, such as images, to evade detection. Take reverse shells as an example – you don’t have to drop a fully-fledged remote access Trojan (RAT) when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic.”
XWorm Malware Executed Through MSBuild
In one observed incident, attackers chained together multiple LOTL tools, including lesser-known ones, to deliver XWorm malware, a RAT that contains capabilities for data theft and remote control.
Notably, the final payload was hidden in the pixels of an image downloaded from a trusted website, decoded via PowerShell and executed through MSBuild.
The attack began with the attackers distributing malicious Compiled HTML Help (.chm) files as email attachments, disguised as project documentation – something users often require when they need help using Windows applications.
The malicious files contained no documentation, only malicious scripts designed to initiate a multi-stage infection.
The embedded script uses several Windows LOTL binaries to evade the detection and execute the payload. This includes Using extrac32.exe to copy the legitimate Windows Script Host executable (cscript.exe) from System32 to the Public user directory.
The campaign dropped a VBScript file into the Public directory, with PowerShell used to execute the script.
The batch file, also executed via PowerShell, downloaded a JavaScript file to the ProgramData directory and runs it using the native Windows script interpreter
The PowerShell script then downloaded an image from a digital asset management site called Tagbox. As this website domain was trusted and the file a valid image, it bypasses most security filters.
However, this image contained hidden data, which is loaded into a bitmap object. This sets off a sequence of events that downloads, decodes and executes the final payload, XWorm, in the legitimate MSBuild process.
PDF Lures to Deliver Malware
The HP Wolf report, published on September 12, also highlighted novel uses of scalable vector graphics (SVG) files to deliver malware.
SVGs contain Extensible Markup Language (XML)-like text instructions to draw resizable, vector-based images on a computer.
The files provide a range of advantages for threat actors, including the fact they open in the default browser on Windows computers and can be used to draw a range of shapes and graphics, enabling the impersonation of multiple entities.
They also typically behave like HTML documents, allowing attackers to abuse standard web technologies, like embedding JavaScript or referencing external resources hosted on attacker-controlled servers.
In new incidents observed in Q2, attackers distributed extremely small SVG files that were not malicious on their own.
When opened in a browser, the SVG displayed a convincing imitation of an Adobe Acrobat Reader interface, complete with a fake document upload animation and a loading bar that filled gradually. This gave the victim the impression of a legitimate web application.
Once the fake upload completed, the user was prompted to retrieve the supposed involve. However, clicking the download button triggered a background request to an external URL, which served a ZIP archive.
This ZIP archive contained a JavaScript file obfuscated through string substitution, granting attackers basic control over the infected system.
The attackers also used geofencing to restrict downloads to specific regions – a tactic designed to evade automated analysis and delay detection.
Lumma Stealer Spread via IMG Archives
Lumma Stealer emerged as one of the more active malware families observed by the researchers in Q2 2025.
In one notable campaign, the infostealer was embedded in IMG archives within phishing emails to evade detection.
The disk image contained an HTML Application (HTA) file disguised as an invoice. If a user attempts to inspect the file in a text editor, the embedded script is hidden behind long sequences of whitespaces to evade casual analysis.
When executed, the script compiled and ran a PowerShell command, which then downloaded an executable from a predefined URL. This executable was a Windows installer built using the Nullsoft Scriptable Install System (NSIS), an open source tool for creating installers.
It runs a custom installation script, which creates several Registry keys referencing various file paths and attempts to open numerous non-existent files, likely intended to mislead analysts.
Finally, the NSIS installer launched another PowerShell command, which executed a dropped file from the local AppData folder.
The PowerShell ran two shellcodes, which after several unpacking stages, deployed and executed Lumma Stealer.
The researchers noted that despite the law enforcement takedown of Lumma Stealer infrastructure in May 2025, campaigns continued in June and operators have begun rebuilding their infrastructure.
