SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Office worker ai cyberattack popups warning icons shadowy web
#
Malware
#
UC
#
Phishing

HP warns of AI-fuelled 'flat-pack' cyberattacks surge

Wed, 4th Mar 2026
Author image
By Sean Mitchell, Publisher

HP has reported an increase in cyberattack campaigns that use AI and ready-made malware components to scale up, even when the underlying techniques are basic.

The findings come from HP's latest Threat Insights Report, based on telemetry from millions of devices running HP Wolf Security. It focuses on attacks targeting PCs and the methods used to bypass common detection and filtering controls.

Researchers describe a shift towards campaigns that favour speed and low cost over sophistication. Attackers are using AI to generate scripts and quickly rework lures and payloads, increasing the number of variants defenders must handle.

Modular campaigns

A central theme is the use of modular malware components, which HP compares to "flat-pack" building blocks. Threat actors assemble campaigns from intermediate scripts and installers that stay consistent, while lures and final payloads change.

This approach cuts the time needed to build a new campaign and encourages reuse across unrelated groups. HP observed multiple actors using the same components, pointing to a tool supply chain fed by online marketplaces and hacker forums.

The report also highlights how off-the-shelf elements speed deployment. It describes these components as inexpensive and widely available, enabling attackers to combine them into customised campaigns at scale.

Vibe-hacking

HP points to AI-generated infection scripts, which it calls "vibe-hacking". In one example, a link embedded in a fake invoice PDF triggered a download from a compromised website. The victim was then redirected to a trusted platform, including Booking.com, as part of a flow designed to reduce suspicion.

The technique relies on automation rather than novel exploitation. The report describes it as a practical way to produce functional scripts quickly, with less manual effort and little need for bespoke development.

Alex Holland, principal threat researcher at HP Security Lab, said: "It's the classic project management triangle of speed, quality and cost. What we're seeing is many attackers optimising for speed and cost, not quality. They are not using AI to raise the bar, they're using it to move faster and reduce effort. The campaigns themselves are basic, but the uncomfortable reality is they still work."

Fake teams

Another campaign used fake Microsoft Teams downloads as a delivery mechanism. Attackers used search engine poisoning and malicious adverts to steer users to counterfeit Teams websites.

Victims then downloaded an installer bundle that included Oyster Loader malware. The report says the malware "piggybacks" on the legitimate installation process, so Teams installs while the infection runs in the background.

The result gives the attacker backdoor control of the device. The campaign reflects a continued focus on abusing familiar brands and workplace software to improve click-through and installation rates.

Email and files

The report also looks at how threats reach corporate environments. At least 14% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.

Executable files were the most common delivery type at 37%, followed by .zip archives at 11% and .docx files at 10%. The report also notes ongoing diversification in delivery techniques, increasing the likelihood that at least one path will evade controls.

The dataset covers October to December 2025 and comes from consenting HP Wolf Security customers. HP's Threat Research Team conducted the associated investigations.

Containment focus

HP argues the findings challenge security strategies that rely heavily on detection, given how quickly attackers can generate new variants. It says defenders face a growing burden when malware can be repackaged and distributed at speed.

"AI-assisted attacks are shining a spotlight on the limitations of detection-led security. When attackers can generate and repackage malware in minutes, detection-based defences can't keep up. Instead of trying to spot every variant, organisations need to reduce exposure. By containing high-risk activities - like opening untrusted attachments or clicking unknown links - within an isolated environment, businesses can stop threats before they cause damage and remove an entire class of risk," said Dr. Ian Pratt, Global Head of Security for Personal Systems at HP.

HP adds that its isolation approach lets it observe threats that bypass detection tools while preventing direct harm. It reported that HP Wolf Security customers have clicked on more than 60 billion email attachments, web pages and downloaded files, with no reported breaches.

Related stories
Stryker probes global cyber attack via MDM systems
Global CISO Council launched to steer AI governance
DNSFilter adds DNS PreCheck to protect roaming staff
MIND unveils Autonomous DLP Analyst to cut alert noise
Sweep wins cybersecurity firms for Salesforce control

Top stories

How Formula 1 turns data & cyber security into speed
Rise of AI Agents introduces new infosec risk: Okta
Schneider Electric unveils open software-defined DCS
GTIA honours 2026 North America IT channel leaders
Manifest tool boosts SBOMs for critical C & C++ code