Welcome to the Q4 2023 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q4 2023.

Key Findings

• Threat actors continued shifting away from macros to other code execution techniques, such as exploiting software vulnerabilities. In Q4, the HP Threat Research team found that at least 84% of attempted intrusions involving spreadsheets, and 73% involving documents, sought to exploit vulnerabilities in Office applications. But macro-enabled attacks have not disappeared, and are still being used to spread remote access trojans (RATs), such as Agent Tesla and XWorm.
• Q4 saw a 7% point rise in PDF threats compared to Q1 2023. In previous quarters, cybercriminals used PDF lures to elicit credentials and financial details from victims through phishing. But in Q4 we also saw malware, including WikiLoader, Ursnif and DarkGate, increasingly being spread through PDF documents.
• In Q4, HP analyzed campaigns delivering DarkGate malware. The threat actor proxied links through an advertising network to evade detection and capture analytics about their victims. The campaigns were initiated through malicious PDF attachments posing as OneDrive error messages, leading to the malware. DarkGate, operating as a malware-as-a-service, hands backdoor access to cybercriminals, exposing victims to risks like data theft and ransomware.
• Threat actors continued to host malware on cloud services in Q4. The team uncovered attackers abusing legitimate online platforms such as Discord to stage Remcos malware. These services are often trusted by organizations, increasing attackers’ chances of remaining undetected.
• In Q4, the HP Threat Research team analyzed a campaign spreading PurpleFox malware that made widespread use steganography, a technique for concealing code inside images.

Read the Report

Download the report: HP Wolf Security Threat Insights Report Q4 2023

Download (PDF)

You can download and read our previous Threat Insights Reports here.