Newest Malware Campaigns Evade Windows 11 Defenses, Use Animation As Lure: Report
Threat actors are creating polished attacks campaigns that often feature high-quality animation like a real-looking installation bar, according to a new HP Wolf Security report.
Bad actors are launching sophisticated tasks with greater ease than ever before using purchased malware services, according to HP Wolf Security.
PureRAT and Phantom Stealer are two such for-sale malware tools, the company’s latest Threat Insights Report noted.
With these tools, threat actors can create polished attack campaigns that often feature high-quality animation like a real-looking installation bar.
Other newer tactics hackers are employing include sideloading DLL files into systems and evading endpoint security scanners. Realistic but malicious Adobe PDF files redirect users to a scam site that imitates an Adobe install but actually downloads an executable file that installs a hijacker.
Threat actors are also hosting malware on Discord and using Discord’s credible reputation to bypass threat defenses. The malware “patches Windows 11’s Memory Integrity protection to bypass this security feature. The infection chain then delivers Phantom Stealer, a subscription-based infostealer,” the report read.
Patrick Schläpfer, principal threat researcher at HP Security Lab, said in a statement that attackers “are using polished animations like fake loading bars and password prompts to make malicious sites feel credible and urgent. At the same time, they are relying on off-the-shelf, subscription malware that is fully featured, and updates as fast as legitimate software. This is helping threat actors keep ahead of detection-based security solutions and slip past defenses with far less effort.”
The report examined data collected by the HP Sure Click cybersecurity platform from July-September 2025, and offered other takeaways:
- At least 11 percent of email threats identified by HP Sure Click dodged one or more email gateway scanners
- In Q3, 11 percent of threats blocked by HP Wolf Security were PDF files
- Forty-five percent of threats were delivered through an archive file (*.tar, *. z, etc.)
- Fifty-seven percent of malware HP researchers detected were information stealers
“With attackers abusing legitimate platforms, mimicking trusted brands and adopting convincing visual tricks, like animations, even strong detection tools will miss some threats. Security teams can’t predict every attack. But by isolating high-risk interactions, such as opening untrusted files and websites, organizations gain a safety net that contains threats before they can cause harm, without adding friction for users,” Ian Pratt, global head of security for personal systems at HP Inc., said in a news release.