Attacks use remote access tools to evade detection

HP Wolf Security has published its latest Threat Insights Report, which warns that attackers are increasingly using legitimate remote access tools to gain access to users' PCs.

Based on data gathered from January to March 2026, the findings also detail fake crypto wallet recovery tools, malware disguised as audio files, and phishing lures tied to the end of the tax year.

Cybercriminals are using applications such as LogMeIn and ScreenConnect to take control of devices while avoiding suspicion, researchers found. In the campaigns analysed, victims were persuaded to install the software through phishing emails and fake desktop app downloads, including downloads linked to dating websites.

Once installed, the remote access software gave attackers persistent control of machines while making their activity resemble ordinary IT administration. This made malicious behaviour harder for users and security teams to distinguish from routine business activity.

Remote access

The report places particular emphasis on the use of trusted tools rather than custom malware. By relying on software many organisations already recognise, attackers can reduce the chances of triggering alerts associated with more obvious malicious programs.

At least 11% of email threats identified by HP Sure Click bypassed one or more email gateway scanners, HP said. Executable files accounted for 39% of malware delivery, followed by archive files at 38% and PDF documents at 10%.

PDF-based malware rose by 2%, with lures such as court documents and bonus payments designed to create urgency. These themes were used to prompt users to open files or follow links without close scrutiny.

Crypto lure

Another campaign tracked by HP researchers involved fake crypto wallet recovery tools. Presented as a way for users to recover lost digital wallets, they were instead designed to steal credentials, wallet information and system data.

These tools were often distributed through code-sharing platforms and media download sites, the report found. Researchers added that the scripts were heavy with emoji and appeared to be examples of AI-assisted "vibe coding", suggesting attackers may be using automated or semi-automated methods to assemble parts of their operations.

The malicious scripts collected information from infected systems before packaging the data into archive files for exfiltration, according to the report. The use of familiar online platforms and a plausible recovery pitch appears aimed at users already under pressure to regain access to lost assets.

ClickFix tactic

Researchers also identified ClickFix campaigns in which malware was disguised as audio files. Victims were directed to fake websites featuring realistic CAPTCHA prompts that led them to run malicious commands.

In those incidents, the disguised payloads were executed in the background after users interacted with the prompts. The design of the websites and the use of familiar verification steps made the attack chain appear credible, the report said.

Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, outlined the pattern seen across the campaigns.

"What stands out in these campaigns is how easily legitimate remote access tools are being turned into entry points for attackers. By combining trusted software with carefully designed social engineering - tied to events like the end of the tax year - it's getting even harder to distinguish what can and can't be trusted," said Schläpfer.

The data comes from millions of endpoints running HP Wolf Security, the company said. Customers have clicked on more than 60 billion email attachments, web pages and downloaded files with no reported breaches, according to HP.

Detection limits

The report argues that conventional detection measures are under strain when malicious activity is presented as normal user or administrator behaviour. If the software involved is legitimate and widely used, the warning signs can be less obvious than in traditional malware incidents.

Alex Holland, Principal Threat Researcher at HP Security Lab, said the campaigns were designed to look routine rather than overtly hostile.

"These attacks don't look like break-ins - they look like business as usual, blending in with normal IT activity and avoiding the warning signs associated with malware. To secure the future of work and reduce risk, organizations should restrict unnecessary privileges, control software installation, and isolate risky activity such as downloads and unknown links. Detection alone is not enough when legitimate tools are being turned into backdoors," said Holland.