Cybercrime tactics are evolving rapidly, with a new threat intelligence report from HP Inc. shedding light on how criminals are exploiting trusted apps and innocent-looking files to sneak malware past security tools. According to HP’s analysis, sophisticated forms of digital deception are not just global issues—they have real implications for Nigeria, Ghana, and the broader West African community, where digital transformation and increased reliance on technology have heightened both opportunity and risk.
The HP Threat Insights Report, released in June 2025, uncovers the progress cyber attackers are making in refining older techniques like “living off the land” (LOTL) and phishing. These techniques, long used to carry out cyberattacks using legitimate system tools already present on target computers, are now being chained together and paired with lesser-known file types, making them harder to detect or block. In a region where businesses and individuals may rely on default security and free tools, understanding these new strategies is crucial.
Living-off-the-land attacks—where malware hides behind permitted, native Windows processes—have been on the radar of cybersecurity professionals for years. However, researchers from HP warn that campaigns employing an increasing mix of rare or overlooked executable files can easily masquerade as legitimate activity. This blending of malicious and regular processes means security teams using traditional detection software may struggle to separate real threats from daily operations.
Penetrating deeper, the report details how attackers have recently engineered highly realistic fake Adobe Acrobat Reader files, including fraudulent invoice lures that closely mimic official Adobe notifications. In one example highlighted in the report, even the loading bar in the fake document was meticulously designed, so victims felt compelled to trust and open the file. What lurked beneath, however, was a reverse shell script—a tool enabling remote attackers to control the infected system. According to HP, attackers concealed this threat inside SVG image data, demonstrating a new level of creativity in malware camouflage.
What’s particularly alarming, especially for regions like Nigeria and Ghana experiencing surges in digital adoption, is how attackers “geofence” their operations. In some campaigns, malware downloads were restricted to German-speaking areas—making it harder for automated security systems to analyze or flag these files. Cybersecurity experts in Lagos and Accra warn that attackers may soon use similar localization tactics elsewhere, targeting local organizations in ways that evade international threat monitoring systems.
HP’s report also spotlights how criminals are embedding malware within images—specifically, by hiding malicious payloads inside pixel data of seemingly harmless project documents. These files, distributed as standard Microsoft Compiled HTML Help files, contained an “XWorm” payload. Only after the image was processed did the malware extract its code and start a multi-stage infection process, calling on a series of legitimate system tools (another example of LOTL) to further hide its activities.
This multi-stage approach is mirrored in West Africa, where some attacks use PowerShell scripts to deploy malware and then promptly delete the evidence. According to Abuja-based cybersecurity consultant Femi Osagie, “What makes these tactics dangerous for Nigerian businesses is the reliance on tools like Windows CMD or PowerShell for everyday operations. Many firms here don’t disable or closely monitor these scripts, as it would disrupt daily work.”
Another worrying trend is the resurgence of the notorious Lumma Stealer malware, widely recognized as a top threat globally and now common across African attack campaigns. This malware specializes in harvesting sensitive data such as passwords and financial details. In recent months, attackers have spread Lumma Stealer using IMG archive files that easily bypass spam and security filters—as they appear to be common photo or data files. Even after coordinated law enforcement operations in May 2025 to curb distribution, threat actors reportedly rebounded, registering fresh domains and updating their infrastructure almost immediately.
Alex Holland, Principal Threat Researcher at HP Security Lab, explained in the report that, “Attackers aren’t necessarily inventing new methods, but are making better use of what already exists. Techniques like living-off-the-land, phishing, and lightweight reverse shells are being refined, sometimes chained together, and hidden in less-expected file types like images—making them much more challenging to spot. For instance, rather than deploying a complex and noisy Remote Access Trojan, a basic reverse shell script can quietly give attackers all the control they need.”
Such tactics, HP researchers say, reveal how adaptive cyber threat actors have become. “Any file—even the ones we trust most—can be weaponized,” says Holland. “Criminals can abuse system features, manipulate trusted software, and tailor their methods to specific languages or regions, constantly outpacing conventional security defenses.”
One area HP claims unique insight is within its own Wolf Security platform, which isolates potentially dangerous threats in secure containers—allowing malware to execute safely without harm to the host computer. According to the company, Wolf Security users have interacted with over 55 billion email attachments, web pages, and downloads without any known breaches. While this is an impressive feat, cybersecurity professionals in Nigeria urge users not to rely on any single tool, but to practice a combination of vigilance, staff training, and layered security protections.
From April to June 2025, HP’s research analyzed how attackers are spreading their bets across multiple entry points. Notably, 13% of email threats detected by HP Sure Click had previously bypassed one or more email gateway scanners. Archive files—especially .rar files, often opened in Nigeria using WinRAR—were the top method for malware delivery, representing 40% of cases. Executables and scripts made up another 35%. This reliance on common file formats allows attackers to stay one step ahead of signature-based antivirus programs.
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., emphasized in the report that living-off-the-land techniques are “notoriously difficult” for security teams to counteract. “It’s a fine balance—clamp down too hard and you disrupt legitimate work; stay too open and risk cybercriminals exploiting those gaps. The goal should be defense-in-depth, using containment and isolation as safety nets to trap threats before they cause real damage.”
Cybersecurity experts in Nigeria note that with rapid expansion of remote work, digital commerce, and cloud services, the region is now as much a target for these attacks as any developed nation. Many SMEs, start-ups, and even government bodies are at risk, especially when cybersecurity awareness is low or IT resources are stretched thin. Ghanaian security analyst Nana Addo also points out that scams and malware campaigns increasingly leverage local context—tailoring lures around local banks, transport, or even government services to increase their chances of success.
In response, Nigerian professionals urge both organizations and individuals to be mindful:
- Regularly update operating systems and applications—many attacks exploit outdated software.
- Remain skeptical of unfamiliar attachments, even those appearing to come from trusted sources.
- Invest in training: Yetunde Balogun, an IT educator in Lagos, notes that “basic staff awareness training stops more attacks than any technical fix.”
- Adopt multi-layered security measures, such as sandboxing suspicious files and monitoring for unusual network activity.
- Report suspicious emails, files, or system behavior to IT or cybersecurity professionals promptly.
Looking ahead, the main lesson for African businesses and tech users is caution mixed with adaptation. Attackers, both within and outside the region, continue to evolve their strategies, using legitimate tools and unexpected file types—and combining these with local knowledge—to slip past defenses. No sector or community is immune, as digital connections cross borders and threats spread with little regard for geography.
What do you think is the biggest cybersecurity risk facing Nigerian companies and individuals today? Are local businesses taking adequate steps to protect themselves against this new wave of digital threats? Share your insights below and follow us for more updates and in-depth analysis on technology and security trends across Africa.
For general support, reach out at [email protected].
Stay informed on cybersecurity, technology, and more by following us on Facebook, X (Twitter), and Instagram.
Let’s stay a step ahead—share your opinion in the comments below!
