HP Inc. announced its latest Threat Insights Report, revealing how cybercriminals are refining attack campaigns with professional-looking animations and purchasable malware services. The report shows how HP cybersecurity teams are observing attackers combine convincing visuals, trusted hosting platforms such as Discord, and frequently updated malware kits to evade users and detection tools.

The report analyzed real-world cyberattacks using data from millions of endpoints. HP reported that these methods are enabling attackers to bypass PC defenses in a fast-changing cybercrime landscape.

Several notable campaigns were revealed by the HP Threat Research Team.

• Attackers impersonating the Colombian Prosecutor’s Office sent fake legal emails. Victims were redirected to a spoofed government website with auto-scroll animations prompting them to open a password-protected archive. Once opened, a hidden malicious DLL installed PureRAT malware, granting attackers full device control. Only 4% of related samples were detected by antivirus tools on average.

• A fake Adobe-branded PDF redirected users to a fraudulent update site. A staged animation mimicked an Adobe installation process and tricked users into downloading a modified ScreenConnect executable. The tool then connected to attacker-controlled servers, enabling device takeover.

• Threat actors hosted malware on Discord to take advantage of its trusted domain reputation. Before execution, the malware patched Windows 11 Memory Integrity protection and delivered Phantom Stealer, a subscription-based infostealer with credential and financial theft capabilities that update frequently to evade security tools.

Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, said attackers are using polished animations, fake loading bars, and password prompts to create credibility and urgency. He added that off-the-shelf malware updates as quickly as legitimate software, allowing attackers to stay ahead of detection-based defenses.

Alongside the report, HP cybersecurity researchers published a blog examining session cookie hijacking, the use of stolen credentials, and the growth of infostealer malware. Instead of stealing passwords or bypassing MFA, attackers hijack session cookies that prove users are already logged in. HP analysis of publicly reported attack data found that 57% of the top malware families in Q3 2025 were information stealers.

By isolating threats that evade detection tools on PCs while allowing malware to detonate safely in secure containers, HP cybersecurity solutions provide insight into modern attack techniques. HP reported that customers have clicked more than 55 billion email attachments, web pages, and downloaded files with no reported breaches.

The report, covering data from July to September 2025, also revealed that attackers continue to diversify their methods to bypass detection-based security tools.

• At least 11% of email threats bypassed one or more email gateway scanners.
• Archive files accounted for 45% of malware delivery, with increased use of malicious .tar and .z files.
• PDF-based threats represented 11% of blocked attacks, increasing from the previous quarter.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., said attackers are abusing legitimate platforms and trusted brands with convincing visual techniques. He reported that isolating risky interactions, such as opening untrusted files and websites, helps organizations contain threats without disrupting users.

Related post

View all