Press Releases

Cyber Ad-versaries Using Analytics to Measure “Victims per Click”

HP warns of rise in malicious PDF campaigns and Office exploits, while noting Office macros persist

February 15, 2024

PALO ALTO, Calif., February 15, 2024 – HP Inc. (NYSE: HPQ) today issued its quarterly HP Wolf Security Threat Insights Report, showing attackers are continuing to find innovative ways to influence users and infect endpoints. The HP Wolf Security threat research team uncovered several notable campaigns including:

  • DarkGate campaign uses Ad tools to sharpen attacks: Malicious PDF attachments, posing as OneDrive error messages, direct users to sponsored content hosted on a popular ad network. This leads to DarkGate malware.
    • By using ad services, threat actors can analyze which lures generate clicks and infect the most users – helping them refine campaigns for maximum impact.
    • Threat actors can use CAPTCHA tools to prevent sandboxes from scanning malware and stopping attacks by ensuring only humans click.
    • DarkGate hands backdoor access to cybercriminals into networks, exposing victims to risks like data theft and ransomware.
  • A shift from macros to Office exploits: In Q4, at least 84% of attempted intrusions involving spreadsheets, and 73% involving Word documents, sought to exploit vulnerabilities in Office applications – continuing the trend away from macro-enabled Office attacks. But macro-enabled attacks still have their place, particularly for attacks leveraging cheap commodity malware like Agent Tesla and XWorm.
  • PDF malware is on the rise: 11% of malware analyzed in Q4 used PDFs to deliver malware, compared to just 4% in Q1 and Q2 2023. A notable example was a WikiLoader campaign using a fake parcel delivery PDF to trick users into installing Ursnif malware.
  • Discord and TextBin being used to host malicious files: Threat actors are using legitimate file and text sharing websites to host malicious files. These sites are often trusted by organizations, helping the sites to avoid anti-malware scanners, increasing attackers’ chances of remaining undetected.

Alex Holland, Senior Malware Analyst in the HP Wolf Security threat research team, comments:

“Cybercriminals are becoming adept at getting into our heads and understanding how we work. For instance, the design of popular cloud services is always being refined, so when a fake error message appears, it won’t necessarily raise an alarm, even if a user hasn’t seen it before. With GenAI generating even more convincing malicious content at little-to-no cost, distinguishing real from fake will only get harder.”

By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely – HP Wolf Security has specific insight into the latest techniques used by cybercriminals in the fast-changing cybercrime landscape. To date, HP Wolf Security customers have clicked on over 40 billion email attachments, web pages, and downloaded files with no reported breaches.

The report details how cybercriminals continue to diversify attack methods to bypass security policies and detection tools. Other findings include:

  • Archives were the most popular malware delivery type for the seventh quarter running, used in 30% of malware analyzed by HP.
  • At least 14% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.
  • The top threat vectors in Q4 were email (75%), downloads from browsers (13%) and other means like USB drives (12%).

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., comments:

“Cybercriminals are applying the same tools a business might use to manage a marketing campaign to optimize their malware campaigns, increasing the likelihood the user will take the bait. To protect against well-resourced threat actors, organizations must follow zero trust principles, isolating and containing risky activities like opening email attachments, clicking on links, and browser downloads."

HP Wolf Security* runs risky tasks in isolated, hardware-enforced virtual machines running on the endpoint to protect users, without impacting their productivity. It also captures detailed traces of attempted infections. HP’s application isolation technology mitigates threats that can slip past other security tools and provides unique insights into intrusion techniques and threat actor behavior.


About the data

This data was gathered from consenting HP Wolf Security customers from October-December 2023.

About HP

HP Inc. (NYSE: HPQ) is a global technology leader and creator of solutions that enable people to bring their ideas to life and connect to the things that matter most. Operating in more than 170 countries, HP delivers a wide range of innovative and sustainable devices, services and subscriptions for personal computing, printing, 3D printing, hybrid work, gaming, and more. For more information, please visit:

About HP Wolf Security

HP Wolf Security is world class endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. Visit

*HP Wolf Security for Business requires Windows 10 or 11 Pro and higher, includes various HP security features and is available on HP Pro, Elite, RPOS and Workstation products. See product details for included security features.

Media Contacts

HP Media Relations


©Copyright 2023 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.