- Legitimate software is now the most dangerous weapon in a hacker’s arsenal, HP warns
- Tax deadline phishing emails are opening doors that security scanners never flag
- Fake dating app downloads are delivering full remote access to attackers instantly
Cybercriminals are exploiting legitimate remote access applications such as LogMeIn and ScreenConnect to take control of victim devices without triggering standard security alerts, experts have warned.
HP’s latest Threat Insights Report, covering January through March 2026, documents how attackers are deliberately blending malicious activity into normal IT behavior to avoid detection.
The report draws on data from millions of endpoints running HP Wolf Security across the period under review, and found the campaigns follow a consistent pattern built around social engineering rather than technical exploits.
How trust becomes the weapon
Legitimate software becomes the perfect disguise precisely because security tools are least likely to flag applications they already recognize and trust.
When an attacker controls a familiar remote access tool on a victim’s device, nothing in the security stack raises an alarm.
That invisibility starts at the very first step — attackers used tax year-end phishing emails and fake desktop application downloads, including fraudulent dating website installers, to persuade users into installing remote access tools that they control.
Once installed, those tools gave attackers total device control while appearing indistinguishable from routine IT activity.
“What stands out in these campaigns is how easily legitimate remote access tools are being turned into entry points for attackers,” said Patrick Schläpfer, Principal Threat Researcher at HP Security Lab.
“By combining trusted software with carefully…
