HP Wolf Security Threat Insights Report: December 2025

Welcome to the December 2025 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q3 2025.


Key Findings:


  • In Q3, the HP Threat Research team uncovered a large South American malware campaign impersonating the Colombian Public Prosecutor’s Office. Attackers used convincing email lures with animations and SVG attachments. Victims were redirected to download an encrypted archive containing a signed executable and a tampered DLL (T1218), enabling DLL sideloading (T1574.001) to evade Windows SmartScreen. The SVG files were poorly detected by antivirus scanners, highlighting the limitations of detection-based security.
  • Reflecting a growing trend toward hyper-realistic social engineering, attackers distributed Adobe-branded PDFs via email that redirected users to a fake update page with highly realistic animated installation screens. The lure delivered a modified version of ScreenConnect that gave remote access to attackers.
  • In August, HP Wolf Security caught phishing campaigns impersonating a major engineering supplier that targeted Turkish companies. The attack delivered XZ archives containing Visual Basic scripts that initiated a multi-stage infection chain and hid malicious code inside an image (T1027.003).
  • Attackers used PDF email lures and files hosted on Discord (T1608.001) to spread Phantom Stealer, using a signed Microsoft executable (T1218) and DLL sideloading (T1574.001) to evade security controls. The malware bypassed Windows 11’s Memory Integrity protection before injecting .NET code (T1055), enabling theft of credentials, payment data and cryptocurrency wallets.
  • Macro-based malware (T1059.005) remains an active threat, with attackers exploiting misconfigured environments to deliver malicious Office documents. HP Sure Click isolated a campaign targeting Chinese-speaking organizations with fake purchase orders. The documents relied on VBA macros to deploy Agent Tesla.


Read the Report

Download the Report

HP AMD 115 - HP Wolf Security Threat Insights Report: December 2025

Privacy Policy.


All information that you supply is protected by our Privacy Policy.

In order to provide you with this free service, we may share your business information with companies whose content you choose to view on this website.


By submitting your information you agree to our Terms of Use.


Third party cookies may be placed, to serve more relevant ads when you browse the web.

You can learn more about those ads here.