Cybercriminals use fake invoices & images to outsmart defences

HP Wolf Security has reported a surge in the use of ultra-realistic Adobe Reader invoice files by cybercriminals to deceive users into downloading malware.

The company's latest Threat Insights Report examines the evolution of techniques such as living-off-the-land (LOTL), where attackers exploit legitimate software and Windows features to carry out their operations while evading cyber security tools. The report highlights how a new generation of sophisticated phishing lures and malware distribution tactics is creating challenges for security teams in businesses globally.

Polished lures

Among the campaigns identified, cybercriminals are embedding scripts in SVG image files that convincingly imitate Adobe Acrobat Reader invoice documents. Each file displays a forged upload screen, including a fake loading bar, to convince victims that they are interacting with a legitimate PDF. Once opened, the files trigger an infection chain controlled by the attackers.

The perpetrators have also applied geofencing, limiting the attack to German-speaking regions, a move intended to reduce exposure, disrupt automated analysis, and delay detection. According to the report, these types of carefully orchestrated lures exploit trust in familiar applications, raising the risk that users will unwittingly activate malware.

Image files and evidence deletion

The report also notes incidents where attackers concealed malware within individual image pixels inside Microsoft Compiled HTML Help files. Disguised as standard project documentation, these files hid an XWorm payload. Once on a victim's device, the malware was extracted from the pixel data and executed, using several LOTL tactics to evade detection. Attackers then employed PowerShell to run a CMD file that deleted digital traces of the attack from the impacted system.

This embedding of code within non-traditional file types such as SVG and image files marks a diversification of methods as attackers look for ways to bypass detection mechanisms that typically scan for suspicious code in documents and executables.

Lumma Stealer resurgence

Despite a law enforcement push against the Lumma Stealer malware in May 2025, the report finds that this threat remains active. The malware has regularly appeared in campaigns during June, distributed via image-based delivery and archive files such as IMG attachments. Attackers continue to register new web domains and expand their infrastructure to facilitate these campaigns, utilising LOTL approaches and exploiting trusted system components to sidestep security filters.

Expert insights

"Attackers aren't reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today's threat actors are sharpening these methods. We're seeing more chaining of living-off-the-land tools and use of less obvious file types, such as images, to evade detection. Take reverse shells as an example – you don't have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It's simple, fast and often slips under the radar because it's so basic."

Alex Holland, Principal Threat Researcher at HP Security Lab, shared these observations. He further notes the increasing creativity and regional targeting by threat actors, saying that alterations in attack tactics are hampering traditional detection tools.

HP Wolf Security runs analysis from millions of endpoints, isolating threats that evade standard detection mechanisms, allowing for secure examination of malware techniques. The current report, covering April to June 2025, highlights the continued diversity of attack types, with cybercriminals seeking to overcome detection-based protections.

HP's research found that 13% of email threats identified by HP Sure Click were able to bypass at least one email gateway scanner. Archive files made up the most common form of delivery for attacks at 40%, followed by executables and scripts at 35%. Use of .rar archive formats accounted for 26%, pointing to a reliance on commonly trusted software like WinRAR to avoid raising suspicion among users and security systems.

"Living off the land techniques are notoriously difficult for security teams because it's hard to tell green flags from red – i.e. legitimate activity versus an attack. You're stuck between a rock and a hard place – lock down activity and create friction for users and tickets for the SOC or leave it open and risk an attacker slipping through. Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm."

This perspective was provided by Dr. Ian Pratt, Global Head of Security for Personal Systems at HP.

The report concludes that cybercriminals remain persistent in their efforts to bypass established security, making use of increasingly nuanced and regionally tailored methods, and adopting new file types and delivery methods to reduce the effectiveness of detection tools alone.