The Threats That Bypassed Detection So Far In 2025: HP Threat Insights Report

HP Wolf Security researchers looked at the top methods cybercriminals are using.

HP Wolf Security researchers not only revealed the most notable cyber threats so far this year, but also detailed which threats were most successful at bypassing cybersecurity detection, in its latest HP Threat Insights Report released Friday.

The report examines data from HP’s Sure Click cybersecurity platform from the first quarter and second quarter of 2025 and provides insight into the methods threat actors are using.

The most evasive threats use legacy hacking living-off-the-land (LOTL) tools chained with a phishing campaign, according to the report.

“Attackers aren’t reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods. We’re seeing more chaining of living-off-the-land tools and use of less obvious file types, such as images, to evade detection. Take reverse shells as an example—you don’t have to drop a fully fledged RAT [remote access trojan] when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic,” said Alex Holland, principal threat researcher, HP Security Lab, in a news release.

The report found that the most notable threats during this research period included the XWorm malware, which involved malicious .chm files disguised as project documentation. The launched XWorm malware is a remote access trojan that hackers use for data theft and remote control.

Malware that mimicked authentic-looking Adobe Acrobat PDF files accounted for 8 percent of threats blocked by HP’s Sure Click.

Email is the top vector by which malware is delivered (accounting for 61 percent of the malware caught by HP Sure Click in the second quarter), according to the report. “Of the email threats caught by HP Sure Click in Q1, at least 13 percent had bypassed one or more email gateway scanners, growing 1 percent point compared to Q1,” the report read.

After email, other top malware vectors included web browser downloads (23 percent) and “other” at 16 percent.

Other malware activity flagged by the HP Wolf Security researchers include:

• MassLogger malware, which is a .NET based credential stealer
• “Lumma Stealer” became one of the most active malware families
• The Remcos RAT remote access trojan that allows hackers to covertly control a compromised machine for surveillance purposes, data exfiltration and remote command execution (usually attached to an HTML file in a phishing email).
• Archive files like RAR, ZIP, GZ and ACE re-emerging as popular malware delivery vessels

“Living-off-the-land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red—i.e., legitimate activity versus an attack. You’re stuck between a rock and a hard place—lock down activity and create friction for users and tickets for the SOC or leave it open and risk an attacker slipping through. Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm,” said Dr. Ian Pratt, global head of security for personal systems at HP Inc.

The report also lists some actionable steps for HP Wolf Security customers to take to reduce the chances of malware bypassing detection, which are accessible in HP’s report.