Cybercriminals are increasingly using legitimate remote access tools, fake downloads, and social engineering to take control of PCs. The latest HP Threat Insights Report shows that malicious activities are becoming harder to distinguish from normal user behavior.
Research from HP Wolf Security reveals that attackers are using phishing emails related to tax returns, fake dating app downloads, and fraudulent crypto wallet tools. These methods exploit trusted software to gain long-term access to devices.
The report analyzes cyberattacks from the first three months of 2026 and demonstrates how attackers bypass detection by disguising malicious activities as legitimate behavior.
Remote access tools and crypto wallet theft
Attackers abuse applications such as LogMeIn and ScreenConnect to gain control over victims unnoticed. Users are lured into installing these tools via phishing emails and fake downloads. Once installed, the activities blend into regular IT processes, making them difficult to detect.
Additionally, cybercriminals are using fraudulent tools for recovering crypto wallets. These tools, often distributed via coding platforms, steal login credentials and wallet information. The use of scripts full of emojis is striking, suggesting that vibe coding was involved.
Malware disguised as audio files
The ClickFix campaigns disguise malware as audio files. Victims are misled via realistic CAPTCHA requests on fake websites into executing malicious code. The payloads are executed unnoticed in the background, making detection more difficult.
In the Threat Insights Report, HP advises limiting unnecessary user privileges and better monitoring software installations. High-risk activities such as downloads and unknown links should be isolated. Detection alone is insufficient when attackers use legitimate tools as a backdoor.