HP warns of ultra-realistic PDF invoice lures exploiting ‘Living-off-the-land’ techniques

Technology giant HP said on Monday that cyber attackers are refining age-old phishing and “living-off-the-land” (LOTL) techniques to bypass traditional detection tools, using highly polished fake PDF invoices and hidden malware in image files, according to its latest Threat Insights Report.

LOTL techniques, where attackers exploit legitimate tools and features built into Windows systems, have long been part of cybercriminals’ playbooks.

But HP researchers said increasingly complex campaigns using multiple, often uncommon binaries are making it harder to distinguish malicious activity from legitimate operations.

From fake PDF invoices to embedded malicious code: what fraudsters are using now

The report highlighted a new wave of sophisticated social engineering lures. In one campaign, attackers embedded a reverse shell in a small SVG image disguised as a realistic Adobe Acrobat Reader invoice, complete with a fake loading bar to trick users. The downloads were geo-fenced to German-speaking regions to hinder automated analysis and delay detection.

Other attacks involved hiding malicious code in Microsoft Compiled HTML Help files within image pixels, which were used to execute multi-step infection chains with LOTL tools like PowerShell and CMD scripts that erased traces of the attack.

Read: UAE cyber body warns of rising breaches linked to public wi‑fi use

HP also observed the resurgent Lumma Stealer malware spreading via IMG archive files, continuing operations despite a law enforcement crackdown in May.

“Attackers aren’t reinventing the wheel, but they are refining their techniques,” said Alex Holland, Principal Threat Researcher at HP Security Lab. “We’re seeing more chaining of living-off-the-land tools and use of less obvious file types, such as images, to evade detection. Take reverse shells – a simple script can achieve the same effect as a full RAT, slipping under the radar.”

HP said these campaigns illustrate the increasing creativity and adaptability of threat actors, who tailor attacks to regions and exploit trusted system tools to avoid detection.

The company said its HP Wolf Security platform allows malware to detonate safely in isolated containers, giving insight into evolving attack methods without endangering customers.

According to the report, data from April-June showed that at least 13 per cent of email threats bypassed one or more email gateway scanners.

Archive files were the most popular delivery type (40 per cent), followed by executables and scripts (35 per cent). Attackers increasingly used .rar files, leveraging trusted software like WinRAR to avoid suspicion.

Living off the land techniques pose challenges

“Living off the land techniques are notoriously difficult for security teams because it’s hard to tell legitimate activity from attacks,” said Dr Ian Pratt, global head of Security for Personal Systems at HP. “Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm.”

The HP report analysed data from consenting HP Wolf Security customers between April and June this year.