.png)
4 months ago
8
Welcome to the June 2025 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q1 2025.
Key Findings
- In Q1 2025, the HP Threat Research team tracked a large malware campaign where attackers deployed fake travel websites with malicious cookie consent banners to infect holiday bookers’ PCs with XWorm, a remote access trojan (RAT). Potential victims are directed to websites imitating Booking.com, a popular travel reservation website, where they are prompted to accept a fake cookie banner that downloads and runs the malware on their computer. The attackers tried to take advantage of users’ “click fatigue” when it comes to accepting or dismissing cookie banners. This activity is an evolution of campaigns seen in Q4 2024 that relied on fake CAPTCHA challenges to trick users into running malicious PowerShell commands on their devices to deploy malware.
- In Q1, HP Sure Click stopped campaigns where threat actors combined unusual file formats with clever social engineering to deliver malware. In one campaign, attackers crafted malicious Windows library (.ms-library) files to spread malware through WebDAV network shares disguised to look like local folders, such as “Documents” and “Downloads”.
- HP threat researchers identified a surge in malicious MSI installers in Q1, driven by a rise in ChromeLoader campaign activity. Often distributed through spoofed software sites and malvertising, these installers use valid, recently issued code-signing certificates to appear trusted and bypass Windows security warnings. ChromeLoader is a family of stealthy web browser malware that is capable of stealing data about victims’ browsing sessions.
Read the Report
Download the report: HP Wolf Security Threat Insights Report: June 2025
You can download and read our previous Threat Insights Reports here.
Tags
