DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costs

Cyber criminals are using “modular malware components” to create custom campaigns and speed up attacks, according to new research from HP.

Findings from HP Wolf Security’s latest Threat Insights Reportshow hackers are combining off-the-shelf malware components, usually purchased via cyber crime forums, to wage attacks against enterprises globally.

Researchers at the firm noted that while early-stage lures and final payloads typically change, attackers are “reusing the same intermediate scripts and installers”.

This means that threat actors are able to build, customize, and scale campaigns with little effort and at a rapid pace – and it’s a trend that’s gaining traction. HP said it has observed multiple unrelated groups using the same basic building blocks in several campaigns.

The emergence of this ‘flat-pack’ malware trend aligns closely with the increased use of AI among threat actors, according to HP. Findings from the Threat Insights Report show attackers are also using AI to automate malware delivery as part of a focus on ‘vibe-hacking’ techniques.

In one example cited by the company, threat actors used AI to create a fake invoice PDF which triggered a silent download from a compromised site. Thereafter, this redirected unsuspecting users to trusted platforms such as Booking.com to curb their suspicions.

Alex Holland, principal threat researcher at HP Security Lab, said the increased use of AI in malware operations, combined with the focus on ‘flat-pack’ components, shows threat actors are prioritizing faster attacks and cheaper costs.

“It’s the classic project management triangle – speed, quality, and cost,” he said. “You often sacrifice one of them. What we’re seeing is many attackers are optimizing for speed and cost, not quality.”

“They are not using AI to raise the bar; they’re using it to move faster and reduce effort.”

Holland further warned that although these campaigns are often basic in nature, the “uncomfortable reality is they still work”.

The HP research comes in the wake of repeated warnings over the use of AI to build and fine-tune malware. As ITPro reported last month, research from Zscaler shows hackers are leveraging the technology to create more potent malware strains.

Google also warned that threat actors were found abusing its Gemini AI models to build malware in early February.

The use of AI in this instance also goes beyond building malware, however, with the technology also used during the early research and development stages.

Analysis from Trend Micro in September 2025 warned that hackers were ‘vibe coding’ malware by using AI to dissect publicly available threat intelligence reports.

This, Trend Micro noted, allowed threat actors to essentially reverse engineer malware strains based on technical blogs from industry stakeholders, create “partial malicious” code, and even mimic other group’s TTPs.

Ian Pratt, global head of security for personal systems at HP, said the firm’s research highlights the significant risks now posed by threat actors using AI.

“When attackers can generate and repackage malware in minutes, detection-based defences can’t keep up,” he said. “Instead of trying to spot every variant, organizations need to reduce exposure.”

Reducing exposure in this sense can be as simple as “containing high-risk activities” such as warning staff not to open untrusted attachments or clicking unknown links – typical advice given by most enterprises yet often still the source of breaches.

Separate analysis from the firm showed 14% of email threats identified by HP Sure Click bypassed one or more email gateway scanners, underlining the increasing success rates of threat actors.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.