'These attacks don't look like break-ins' HP warns hackers are turning popular remote access tools into dangerous, stealthy backdoors
Date:
Tue, 16 Jun 2026 20:15:00 +0000
Description:
HP's latest threat report reveals hackers are abusing legitimate remote
access tools and fake downloads to silently compromise corporate devices.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Legitimate software is now the most dangerous weapon in a hacker's arsenal, HP warns Tax deadline phishing emails are opening doors that security scanners never flag Fake dating app downloads are delivering full remote access to attackers instantly Cybercriminals are exploiting legitimate remote access applications such as LogMeIn and ScreenConnect to take control of victim devices without
triggering standard security alerts, experts have warned.
HP 's latest Threat Insights Report , covering January through March 2026, documents how attackers are deliberately blending malicious activity into normal IT behavior to avoid detection. The report draws on data from millions of endpoints running HP Wolf Security across the period under review, and found the campaigns follow a consistent pattern built around social engineering rather than technical exploits. Latest Videos From Watch full video here: How trust becomes the weapon Legitimate software becomes the perfect disguise precisely because security tools are least likely to flag applications they already recognize and trust.
When an attacker controls a familiar remote access tool on a victim's device, nothing in the security stack raises an alarm. You may like Hackers abuse UltraVNC, Splashtop, and ScreenConnect to hijack business PCs Spotting the spyware: How modern spies are weaponizing phishing 'Cybercriminals are industrializing deception': new report reveals how major global cybercrime syndicates have infiltrated trusted domains with millions now at risk -
here's what you need to know
That invisibility starts at the very first step attackers used tax year-end phishing emails and fake desktop application downloads, including fraudulent dating website installers, to persuade users into installing remote access tools that they control.
Once installed, those tools gave attackers total device control while appearing indistinguishable from routine IT activity. Are you a pro?
Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get
all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
"What stands out in these campaigns is how easily legitimate remote access tools are being turned into entry points for attackers," said Patrick Schlpfer, Principal Threat Researcher at HP Security Lab.
"By combining trusted software with carefully designed social engineering tied to events like the end of the tax year it's getting even harder to distinguish what can and can't be trusted."
Separate campaigns uncovered in the same period used fake cryptocurrency wallet recovery tools distributed through code-sharing platforms and media download sites. What to read next Experts warn of 'highly sophisticated' weaponized JPEG campaign used to send out ScreenConnect malware Microsoft warns of Teams external IT impersonation attacks Forget stolen passwords
this is how hackers are actually breaking into US companies in 2026
Those tools, rather than helping users recover lost wallets, harvested credentials, wallet data, and system information before packaging everything into archive files for exfiltration.
The emoji-heavy scripts used in these attacks showed characteristics consistent with AI-assisted coding.
This suggests that vibe coding tools are now lowering the barrier for
building functional malware. Malware hides in plain sight HP's report also documented ClickFix campaigns disguising malware as audio files through convincing fake websites and realistic CAPTCHA prompts.
Victims unknowingly execute the malicious code in the background while believing they were completing routine security checks.
At least 11% of email threats identified by HP Wolf Security during the
period bypassed one or more email gateway scanners entirely.
Executable files accounted for the largest share of malware delivery at 39%, followed by archive files at 38% and PDF documents at 10%.
"These attacks don't look like break-ins they look like business as usual, blending in with normal IT activity and avoiding the warning signs associated with malware," said Alex Holland, Principal Threat Researcher at HP Security Lab
Holland added that organizations should restrict unnecessary privileges, control software installation, and isolate risky activity such as downloads and unknown links.
Enterprise security teams are advised to adjust their defenses to account for attacks that look legitimate, rather than suspicious. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/these-attacks-dont-look-like-break-ins- hp-warns-hackers-are-turning-popular-remote-access-tools-into-dangerous-stealt hy-backdoors
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)