- Legitimate software is now the most dangerous weapon in a hacker’s arsenal, warns HP
- Tax deadline phishing emails open doors that security scanners never flag
- Fake dating app downloads give full remote access to attackers instantly
Cybercriminals are exploiting legitimate remote access applications such as LogMeIn and ScreenConnect to take control of victims’ devices without triggering standard security alerts, experts have warned.
HP’s latest Threat Insights report, covering January to March 2026, documents how attackers deliberately blend malicious activity into normal IT behavior to avoid detection.
Drawing on data from millions of endpoints running HP Wolf Security across the period examined, the report found that the campaigns follow a consistent pattern built around social engineering rather than technical exploits.
How trust becomes the weapon
Legitimate software becomes the perfect disguise precisely because security tools are least likely to flag applications they already recognize and trust.
When an attacker controls a well-known remote access tool on a victim’s device, there is nothing in the security stack to raise an alarm.
This invisibility starts at the very first step – attackers used tax year-end phishing emails and fake desktop application downloads, including fraudulent dating site installers, to persuade users to install remote access tools they control.
Once installed, these tools gave attackers total control over the device while appearing indistinguishable from routine IT activity.
“What stands out in these campaigns is how easily legitimate remote access tools are turned into entry points for attackers,” said Patrick Schläpfer, Principal Threat Researcher at HP Security Lab.
“Combining trusted software with carefully designed social engineering — tied to events like the end of the tax year — makes it even harder to distinguish between what can and can’t be trusted.”
Separate campaigns uncovered during the same period used fake cryptocurrency wallet recovery tools distributed through code-sharing platforms and media download sites.
These tools instead help users recover lost wallets, collect credentials, wallet data, and system information before packing everything into archive files for exfiltration.
The emoji-heavy scripts used in these attacks showed characteristics consistent with AI-assisted coding.
This suggests that vibe coding tools are now lowering the barrier to building functional malware.
Malware hides in plain sight
HP’s report also documented ClickFix campaigns that disguised malware as audio files through convincing fake websites and realistic CAPTCHA prompts.
Victims unknowingly execute the malicious code in the background while they thought they were performing routine security checks.
At least 11% of email threats identified by HP Wolf Security during the period completely bypassed one or more email gateway scanners.
Executable files accounted for the largest share of malware delivery at 39%, followed by archive files at 38% and PDF documents at 10%.
“These attacks don’t look like intrusions – they look like business as usual, they blend in with normal IT activity and avoid the warning signs associated with malware,” said Alex Holland, Principal Threat Researcher at HP Security Lab
Holland added that organizations should limit unnecessary privileges, control software installation and isolate risky activity such as downloads and unknown links.
Enterprise security teams are advised to adjust their defenses to account for attacks that look legitimate rather than suspicious.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
