HP Wolf Security Threat Insights Report: December 2025 | HP Wolf Security

2 min read Original article ↗
Skip to content
HP Wolf Security Threat Insights Report: December 2025

HP Wolf Security Threat Insights Report: December 2025

Welcome to the December 2025 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q3 2025.

Key Findings

  • In Q3, the HP Threat Research team uncovered a large South American malware campaign impersonating the Colombian Public Prosecutor’s Office. Attackers used convincing email lures with animations and SVG attachments. Victims were redirected to download an encrypted archive containing a signed executable and a tampered DLL (T1218), enabling DLL sideloading
    (T1574.001) to evade Windows SmartScreen. The SVG files were poorly detected by antivirus scanners, highlighting the limitations of detection-based security.
  • Reflecting a growing trend toward hyper-realistic social engineering, attackers distributed Adobe-branded PDFs via email that redirected users to a fake update page with highly realistic animated installation screens. The lure delivered a modified version of ScreenConnect that gave remote access to attackers.
  • In August, HP Wolf Security caught phishing campaigns impersonating a major engineering supplier that targeted Turkish companies. The attack delivered XZ archives containing Visual Basic scripts that initiated a multi-stage infection chain and hid malicious code inside an image (T1027.003).
  • Attackers used PDF email lures and files hosted on Discord (T1608.001) to spread Phantom Stealer, using a signed Microsoft executable (T1218) and DLL sideloading (T1574.001) to evade security controls. The malware bypassed Windows 11’s Memory Integrity protection before injecting .NET code (T1055), enabling theft of credentials, payment data and cryptocurrency wallets.
  • Macro-based malware (T1059.005) remains an active threat, with attackers exploiting misconfigured environments to deliver malicious Office documents. HP Sure Click isolated a campaign targeting Chinese-speaking organizations with fake purchase orders. The documents relied on VBA macros to deploy Agent Tesla.

Read the Report

Download the report: HP Wolf Security Threat Insights Report: December 2025

Download (PDF)

You can download and read our previous Threat Insights Reports here.

Tags

About the Author

Recent Posts