DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costs
While these malware campaigns are very basic, researchers noted “they still work”
Cyber criminals are using “modular malware components” to create custom campaigns and speed up attacks, according to new research from HP.
Findings from HP Wolf Security's latest Threat Insights Report show hackers are combining off-the-shelf malware components, usually purchased via cyber crime forums, to wage attacks against enterprises globally.
Researchers at the firm noted that while early-stage lures and final payloads typically change, attackers are “reusing the same intermediate scripts and installers”.
This means that threat actors are able to build, customize, and scale campaigns with little effort and at a rapid pace – and it’s a trend that’s gaining traction. HP said it has observed multiple unrelated groups using the same basic building blocks in several campaigns.
The emergence of this ‘flat-pack’ malware trend aligns closely with the increased use of AI among threat actors, according to HP. Findings from the Threat Insights Report show attackers are also using AI to automate malware delivery as part of a focus on ‘vibe-hacking’ techniques.
In one example cited by the company, threat actors used AI to create a fake invoice PDF which triggered a silent download from a compromised site. Thereafter, this redirected unsuspecting users to trusted platforms such as Booking.com to curb their suspicions.
Alex Holland, principal threat researcher at HP Security Lab, said the increased use of AI in malware operations, combined with the focus on ‘flat-pack’ components, shows threat actors are prioritizing faster attacks and cheaper costs.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
“It’s the classic project management triangle - speed, quality, and cost,” he said. “You often sacrifice one of them. What we’re seeing is many attackers are optimizing for speed and cost, not quality.”
“They are not using AI to raise the bar; they’re using it to move faster and reduce effort.”
Holland further warned that although these campaigns are often basic in nature, the “uncomfortable reality is they still work”.
AI malware is taking off
The HP research comes in the wake of repeated warnings over the use of AI to build and fine-tune malware. As ITPro reported last month, research from Zscaler shows hackers are leveraging the technology to create more potent malware strains.
Google also warned that threat actors were found abusing its Gemini AI models to build malware in early February.
The use of AI in this instance also goes beyond building malware, however, with the technology also used during the early research and development stages.
Analysis from Trend Micro in September 2025 warned that hackers were ‘vibe coding’ malware by using AI to dissect publicly available threat intelligence reports.
This, Trend Micro noted, allowed threat actors to essentially reverse engineer malware strains based on technical blogs from industry stakeholders, create “partial malicious” code, and even mimic other group’s TTPs.
Ian Pratt, global head of security for personal systems at HP, said the firm’s research highlights the significant risks now posed by threat actors using AI.
“When attackers can generate and repackage malware in minutes, detection-based defences can’t keep up,” he said. “Instead of trying to spot every variant, organizations need to reduce exposure.”
Reducing exposure in this sense can be as simple as “containing high-risk activities” such as warning staff not to open untrusted attachments or clicking unknown links - typical advice given by most enterprises yet often still the source of breaches.
Separate analysis from the firm showed 14% of email threats identified by HP Sure Click bypassed one or more email gateway scanners, underlining the increasing success rates of threat actors.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Cisco sounds alarm over new Russian malware campaign hitting firms in US and EuropeNews UAT-11795 is weaponizing legitimate software such as WebEx and Zoom to dupe victims
-
Why doesn't more data produce better results?ITPro Podcast Riverbed CIO Fernando Castanheira talks about data and how businesses can use it better
-
Working with the enemy: Ransomware negotiator-turned cyber criminal jailed after working with hackers to extort clientsNews Angelo Martino was supposed to be negotiating on behalf of victims, but was secretly working for ransomware operators
-
‘The risk to every organization has increased exponentially’: The FortiBleed campaign just took a turn for the worseNews Reports suggest that FortiBleed-linked exposed credentials could put UK government and public services at huge risk
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
Opera browser thinks it has the solution to stopping ClickFix malware attacksNews The browser company is targeting a growing source of malicious links with its new Paste Protect feature
-
US offers $10m bounty for info on Russia-linked hackers behind Signal and WhatsApp attacksNews UNC5792 and UNC4221 have been targeting government officials through their Signal and WhatsApp accounts
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislationNews The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack