Each quarter our security experts highlight notable malware campaigns, trends and techniques identified by HP Wolf Security. By isolating threats that have evaded detection tools and made it to endpoints, HP Wolf Security gives an insight into the latest techniques used by cybercriminals, equipping security teams with the knowledge to combat emerging threats and improve their security postures.1 This edition of the report describes notable threats seen in the wild in Q2 2025.
In Q2 2025, the HP Threat Research team identified attackers refining their use of living-off-the-land (LOTL) tools to evade detection.2 In one campaign that targeted businesses, threat actors chained together multiple LOTL tools, including lesser-known ones, to deliver XWorm malware.3 The final payload was hidden in the pixels of an image (T1027.003) downloaded from a trusted website, decoded via PowerShell (T1059.001), and executed through MSBuild (T1127.001), enabling remote access and data theft.
In Q2, HP Sure Click detected attackers targeting German-speaking regions with highly realistic SVGbased (T1027.017) invoice lures to deliver malware.7These emails bypass scanners and mimicked Adobe Acrobat to trick users into downloading malicious ZIP files. The delivered malware is a lightweight JavaScript (T1059.007) reverse shell that establishes persistence, collects system data, and enables remote command execution.
Lumma Stealer was one of the most active malware families observed in Q2.9 HP Wolf Security found the malware being actively distributed via phishing emails containing malicious IMG archives. These disk images, mounted by Windows as virtual drives, hid HTA files (T1218.005) that launched obfuscated PowerShell commands leading to an NSIS installer.10 The installer deployed shellcode that unpacks and runs Lumma Stealer. Despite a law enforcement takedown in May 2025, campaigns continued in June and its operators have been rebuilding their infrastructure.
