- Legitimate software is now the most dangerous weapon in a hacker’s arsenal, warns HP
- Tax Deadline Phishing Emails Are Opening Doors Security Scanners Never Catch
- Fake Dating App Downloads Give Attackers Full Remote Access Instantly
Experts have warned that cybercriminals are exploiting legitimate remote access applications such as LogMeIn and ScreenConnect to take control of victims’ devices without triggering standard security alerts.
HP’s latest Threat Insights report, covering January to March 2026, documents how attackers deliberately combine malicious activity with normal IT behavior to avoid detection.
The report is based on data from millions of endpoints running HP Wolf Security during the period analyzed and found that the campaigns follow a consistent pattern based on social engineering rather than technical exploits.
How trust becomes the weapon
Legitimate software becomes the perfect disguise precisely because security tools are less likely to flag applications they already recognize and trust.
When an attacker controls a familiar remote access tool on a victim’s device, nothing in the security stack raises an alarm.
That invisibility starts from the first step: Attackers used fiscal year-end phishing emails and fake downloads of desktop applications, including installers for fraudulent dating websites, to persuade users to install remote access tools that they control.
Once installed, those tools gave attackers full control of the device while appearing indistinguishable from routine IT activity.
“What stands out in these campaigns is how easily legitimate remote access tools become entry points for attackers,” said Patrick Schläpfer, principal threat researcher at HP Security Lab.
“By combining trusted software with carefully designed social engineering, tied to events like the end of the fiscal year, it is becoming even more difficult to distinguish what can be trusted and what cannot.”
Separate campaigns discovered in the same period used fake cryptocurrency wallet recovery tools distributed through code-sharing platforms and media download sites.
Those tools, instead of helping users recover lost wallets, collected credentials, wallet data, and system information before packaging everything into files for exfiltration.
The emoji-heavy scripts used in these attacks showed features consistent with AI-assisted coding.
This suggests that vibe coding tools are now lowering the barrier to creating functional malware.
Malware hides in plain sight
The HP report also documented ClickFix campaigns that disguised malware as audio files through convincing fake websites and realistic CAPTCHA prompts.
Victims unknowingly execute malicious code in the background while they believe they were completing routine security checks.
At least 11% of email threats identified by HP Wolf Security during the period bypassed one or more email gateway scanners.
Executable files accounted for the highest proportion of malware delivery at 39%, followed by archive files at 38% and PDF documents at 10%.
“These attacks don’t look like intrusions: they look like business as usual, blending in with normal IT activity and avoiding the warning signs associated with malware,” said Alex Holland, principal threat researcher at HP Security Lab.
Holland added that organizations should restrict unnecessary privileges, control software installation, and isolate risky activities such as unknown downloads and links.
Enterprise security teams are advised to adjust their defenses to account for attacks that appear legitimate, rather than suspicious.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
