Each quarter our security experts highlight notable malware campaigns, trends and techniques identified by HP Wolf Security. By isolating threats that have evaded detection tools and made it to endpoints, HP Wolf Security spotlights the latest techniques used by cybercriminals, equipping security teams with the knowledge to combat emerging threats and improve their security postures.1 This edition documents notable threats seen in the wild in calendar Q4 2025.
Threat actors in Q4 reused the same inexpensive, off the shelf components across multiple campaigns, combining obfuscated scripts, archive.org hosted images carrying embedded code, and a .NET loader to deliver different payloads. Despite variations in lures and initial file types, the infection chains used an identical intermediate malware stage that enabled delivery of payloads such as DarkCloud and AsyncRAT.2 3
Attackers used PDF lures relying on a simple but effective technique of directing victims to a compromised website that delivers a malicious download, before immediately redirecting them to a legitimate website to create the impression that the trusted platform initiated the download. This credibility boost helped mask the delivery of scripts and loaders that ultimately deployed Formbook and XWorm.4 5 The loader used in these campaigns showed signs of being developed with the help of AI tools, part of a growing trend of threat actors relying on AI coding assistants.
