HP has reported a rise in cyber attacks that use animated fake update screens and staged password prompts to trick users into installing malware on their own devices.
The company’s latest Threat Insights Report describes how criminal groups are combining these polished visuals with widely available malware services. Many of these tools update as frequently as legitimate software, making them harder for traditional security products to detect.
HP’s Threat Research Team based its findings on data from millions of endpoints that run HP Wolf Security. Analysts identified several campaigns that rely on deceptive user interfaces and everyday consumer platforms, including email, popular document formats and the Discord messaging service.
Legal threat ruse
One campaign targeted users with emails that appeared to come from the Colombian Prosecutor’s Office. The messages warned of legal action and directed recipients to a fake government website.
The site displayed an auto-scrolling interface that guided users towards what appeared to be a “one-time password”. That password unlocked a malicious, password-protected archive file. When the victim opened the file, it launched a folder containing a hidden, modified dynamic link library.
The altered DLL installed PureRAT, a remote access tool that is sold on underground marketplaces. Attackers gained full control of infected devices through this method. HP said the samples in this campaign were highly evasive and that, on average, only 4 per cent of related files were detected by anti-virus tools.
Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, said attackers have improved the look and feel of their lures. “Attackers are using polished animations like fake loading bars and password prompts to make malicious sites feel credible and urgent. At the same time, they are relying on off-the-shelf, subscription malware that is fully featured, and updates as fast as legitimate software. This is helping threat actors keep ahead of detection-based security solutions and slip past defences with far less effort,” said Schläpfer.
Fake Adobe updates
Another set of attacks centred on fake Adobe-branded PDF documents. Victims who opened these files were redirected to a fraudulent website that claimed it would update their PDF reader.
The site displayed an animation of an installation bar that resembled a genuine Adobe update. Users who followed the on-screen instructions downloaded a modified ScreenConnect executable, a legitimate remote support tool.
Once installed, the altered ScreenConnect client connected back to servers controlled by the attackers. This connection enabled them to take over the compromised systems via remote access functions that usually support IT helpdesks.
Discord hosting tactic
HP researchers also observed threat actors using Discord as a platform to host malware payloads. This approach allowed groups to avoid building their own infrastructure and to benefit from the established reputation of a popular consumer service.
In this campaign, the attackers delivered an information-stealing programme known as Phantom Stealer. The malware removed or altered Windows 11 Memory Integrity protection before it was fully deployed. This step bypassed a key security feature that is designed to prevent certain classes of attacks.
Phantom Stealer is sold as a subscription service on hacking forums. It gathers credentials, financial information and browser cookies from infected systems. Its developers release frequent updates to evade detection by modern security products.
Rise of info-stealers
Alongside the report, HP analysts have examined session cookie hijacking and the broader use of stolen credentials. Attackers increasingly focus on cookies that prove a user is already logged in, rather than on passwords or multi-factor authentication codes.
Session cookies allow web services to maintain access without repeated logins. When attackers steal these tokens, they can gain immediate entry to business applications and other sensitive systems that trust the existing session.
HP’s review of publicly reported incident data found that more than half of the most prevalent malware families in the third quarter of 2025 were information stealers. The company put the figure at 57 per cent. Many of these tools collect authentication cookies, usernames, passwords, and financial details.
Email and file trends
The report highlighted shifts in how attackers deliver malware. HP said at least 11 per cent of email threats detected by its Sure Click technology had bypassed one or more email gateway scanners.
Archive files were the most common delivery mechanism. They accounted for 45 per cent of threats in the period, a 5 percentage-point rise over the previous quarter. Attackers made greater use of archive formats such as .tar and .z when they targeted users.
PDF files were also more often used in malicious activity. HP said 11 per cent of threats blocked by HP Wolf Security in the third quarter arrived as PDFs. This share was 3 percentage points higher than in the previous quarter.
The company attributed its visibility into these techniques to its isolation-based approach. HP Wolf Security scans suspicious email attachments, web pages, and downloads within secure containers on user devices. Malware detonation inside these isolated environments produces data on attacker behaviour, while the host system remains protected.
According to HP, customers have interacted with more than 55 billion email attachments, visited more than 55,000 websites, and downloaded more than 55,000 files under this model without reported breaches.
Dr Ian Pratt, Global Head of Security for Personal Systems at HP, said security teams now face regular abuse of trusted brands and platforms.
“With attackers abusing legitimate platforms, mimicking trusted brands and adopting convincing visual tricks, like animations, even strong detection tools will miss some threats. Security teams can’t predict every attack. But by isolating high-risk interactions, such as opening untrusted files and websites, organisations gain a safety net that contains threats before they can cause harm, without adding friction for users,” said Pratt.
