Threat actors are increasingly chaining living-off-the-land (LOTL) techniques and abusing less obvious file types to slip past detection tools, according to HP Wolf Security’s Q2 2025 Threat Insights analysis. Security teams are now facing campaigns that combine multiple, often uncommon legitimate binaries and creative payload delivery methods — making malicious activity look innocuous and raising the bar for detection and response. HP+1

Chaining benign tools to build stealthy attacks

Rather than dropping standard remote access trojans (RATs) directly, adversaries are stitching together lightweight scripts and native Windows utilities to achieve the same outcomes more stealthily. These “chains” typically move execution through trusted system binaries (LOTL/LOLbins), reflect payloads in memory, and finally execute malware inside legitimate processes — a pattern that frequently avoids signature-based defenses. HP’s researchers emphasize that this approach is simple, fast, and often effective precisely because it appears mundane. HP

Image steganography and MSBuild abuse: the XWorm example

One case documented by HP shows attackers hiding a final RAT payload inside the pixels of an image hosted on a trusted site. The campaign began with phishing attachments (compiled HTML Help files) that executed scripts to copy and run native LOTL binaries, drop intermediate scripts in public folders, and use PowerShell to drive the infection. The image file was retrieved from a legitimate asset server, parsed in memory to extract hidden data, decoded, and executed through MSBuild — allowing the XWorm payload to run within a legitimate development process and bypass many security controls. This multi-stage, LOTL-centric pipeline illustrates how fileless and living-off-the-land techniques are being combined with steganography to evade detection. HP+1

SVGs and fake PDF flows — new lures that mimic real apps

HP also flags the growing misuse of image and vector formats such as SVG to deliver malware. Because SVGs are XML-like and render in default browsers, they can be weaponized to present realistic, interactive lures (for example, a fake Acrobat Reader upload UI). Small, superficially benign SVG files can trigger background requests to attacker-controlled servers that return archives containing obfuscated JavaScript or executables. Attackers further limit exposure by geofencing downloads to certain regions, slowing automated analysis and delaying detection. Recent independent reporting confirms an uptick in SVG-based phishing and malware delivery, with some campaigns bypassing antivirus filters by leveraging browser behavior and trusted hosting. Tom’s Hardware+1

Infostealers remain active despite takedowns — Lumma’s resilience

Infostealers such as Lumma (also referenced as LummaC2) were among the most active families observed during Q2. Although coordinated takedown operations in May 2025 disrupted large parts of Lumma’s infrastructure, telemetry and open reporting show campaigns persisted into June as operators rebuilt or shifted infrastructure. The Lumma case underlines that even after disruptions, threat actors can reconstitute operations quickly, often adopting more covert delivery and LOTL techniques to avoid future takedowns. Microsoft+1

Practical guidance: detection, observability, and prevention

Given the blended nature of modern LOTL campaigns, organizations should shift from purely signature-based controls toward behavior and process observability that can see suspicious chains of legitimate tools. Recommended actions include:

• Instrument endpoints to capture process lineage and command-line telemetry, so you can detect unusual chains of native binaries (e.g., MSBuild spawning PowerShell that decodes in-memory payloads). HP
• Monitor and restrict use of lesser-known or rarely used system utilities (establish a baseline of normal LOTL usage and alert on deviations). HP
• Treat image and vector content with the same suspicion as documents and archives — block or sandbox untrusted SVGs, images from unknown hosts, and archives retrieved by browser code. Tom’s Hardware
• Harden email and web controls to prevent malicious CHM/HTA attachments and to detect download chains that fetch payloads from otherwise trusted domains. HP
• Prepare for persistence after takedowns: maintain active threat hunting and telemetry retention so you can spot resurgent campaigns (as seen with Lumma) and pivot quickly from detection to containment. Microsoft+1

Conclusion
Attackers are increasingly weaponizing legitimate system features and nontraditional file formats to stay below the radar. To defend against these evolving LOTL techniques, security teams must combine robust observability, process-aware detection, and proactive hardening — and treat any unusual chain of trusted tools as a potential compromise. HP+1

Source: https://www.infosecurity-magazine.com/news/attackers-novel-lotl-detection