AI supercharging malware development - HP
HP’s latest cybersecurity update points to increasingly sophisticated cyber threats being spotted in the wild and the growing use of generative AI by cyber criminals.
“In 2025, we will be entering into a ‘hyper threat’ landscape defined by the acceleration of AI as a more widely adopted complement to existing malware development tools and techniques by threat actors,” says Steve Inch, senior principal print security strategy & product management at HP.
“As cybercriminals learn and adopt a broader quiver of AI techniques beyond generative AI for phishing and cybercrime campaign development, they will begin to turbocharge how they detect and exploit weaknesses at the network edge. Companies and governments should begin to demand endpoint devices, like printers, with continuous, active system monitoring during 100% of the life of the device.”
The HP Wolf Security Threat Insights Report for January 2025 is based on Q3, 2024 identified by HP’s cybersecurity platform and flags a series of concerning threats.
Malicious spreadsheet that exploits CVE-2017-11882
VIP keylogger and Obj3ctivityStealer
HP detected campaigns spreading VIP Keylogger and Obj3ctivityStealer malware, both utilising similar techniques:
Attackers hid malicious code within images uploaded to legitimate websites like archive.org.
The campaigns employed the same .NET loader to install their final payloads.
This approach allowed attackers to bypass network security measures that rely on reputation checks.
XWorm RAT campaign
An HTML smuggling campaign delivering the XWorm remote access trojan (RAT) was identified:
The campaign used HTML files with characteristics suggesting they were created with the assistance of generative AI.
The infection chain involved a compiled AutoIt script that decoded and executed shellcode.
XWorm functions as a multi-purpose malware, primarily used as a RAT or information stealer.
Examples of malicious images and view counts hosted archive.org
Lumma Stealer on GitHub
Threat actors uploaded information-stealing malware to GitHub repositories:
The repositories contained legitimate source code alongside malicious executables.
The campaign targeted users of video game cheat and modification tools. Lumma Stealer, the payload, is capable of exfiltrating passwords, cryptocurrency wallets, and browser data.
Emerging cybercrime trends
The report highlights the growing use of generative AI in cybercrime:
HTML files in the XWorm campaign showed signs of AI assistance, including extensive code comments and visual design similarities to AI-generated content.
While not yet seen in early attack stages or payload development, AI is increasingly used in initial access and malware delivery phases.
This trend could lead to more scalable attacks, increased infection rates, and greater difficulty in attribution.
“Many of the GenAI use cases around creation, automation and virtual assistance that are being embraced by individuals and businesses will be adapted to support cybercrime,” says Alex Holland, Principal Threat Researcher in the HP Security Lab.
“Whether it’s helping to write scripts, uncovering vulnerabilities, analysing data, or using copilots to assist with coding tasks, GenAI will help cybercriminals to increase their productivity, efficiency and effectiveness. Barriers to entry for cybercriminals will be lowered, allowing novices to carry out attacks without coding know-how. We may see click through rates on phishing rise, as GenAI helps attackers to craft convincing multi-lingual, targeted lures.”
But just as cybercriminals are harnessing AI to supercharge malware development, Holland says the same underlying technology can strengthen defences against them.
“On the positive side, cybersecurity teams will harness AI to enhance threat detection and response, relieving the pressure on teams. Partnering with trusted AI security vendors will ensure organizations reap the benefits of AI, while being protected from new AI-assisted threats.”
Archive embedded in PDF document.
Repurposing attack components
Cybercriminals are becoming more efficient by reusing and combining attack components:
The VIP Keylogger and Obj3ctivityStealer campaigns shared similar infection chains and techniques.
This approach reduces the time and skill required to create effective malware campaigns.
Attackers can focus on experimenting with detection bypass techniques, such as embedding malicious code in images.
Abuse of legitimate platforms
Threat actors continue to exploit trusted platforms to deliver malware:
Malicious images were uploaded to archive.org to host and distribute malware. GitHub repositories were used to spread Lumma Stealer under the guise of game modification tools.
These tactics take advantage of users' trust in well-known platforms and can bypass security measures.
Threat vector and file type trends
The report provides insights into the most common threat vectors and file types:
Threat vectors
Email remains the primary vector for malware delivery, accounting for 52% of threats. Web browser downloads saw a significant increase, rising to 28% of threats. Other vectors, such as removable media, accounted for 20% of threats.
Malicious file types
Executables and scripts were the most common malware delivery type, representing 40% of threats. Archive files (e.g., ZIP, RAR, LZH) were the second most popular, accounting for 34% of threats. Document formats (Word, Excel) and PDFs also remained significant threat vectors.
Source: HP
Implications for cybersecurity
The findings from the HP Wolf Security Threat Insights Report have several important implications for organizations and cybersecurity professionals:
Enhanced email security: With email remaining the primary threat vector, organizations must continue to strengthen their email security measures and user awareness training.
AI-Aware defence strategies: As cybercriminals leverage AI in their attacks, defenders must adapt their strategies to detect and mitigate AI-assisted threats.
Vigilance on trusted platforms: Security teams should be aware that legitimate platforms like GitHub and archive.org can be abused to host and distribute malware.
Advanced threat detection: The increasing sophistication of malware campaigns necessitates the use of advanced threat detection technologies capable of identifying complex, multi-stage attacks.
Continuous monitoring: The evolving nature of threats requires constant vigilance and regular updates to security systems and practices.
User education: Given the prevalence of social engineering tactics, ongoing user education remains crucial in preventing successful attacks.
Holistic security approach: Organizations should adopt a comprehensive security strategy that addresses various threat vectors and file types.
Read the HP Wolf Security Threat Insights Report in full here.
