ESET Research has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2025. AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock – the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats.
On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators.
On the mobile platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate – a pioneer among NFC threats, first discovered by ESET– received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of remote access trojan (RAT) capabilities and NFC relay attacks, showing cybercriminals’ determination to pursue new attack avenues. RatOn was distributed through fake Google Play pages and ads mimicking an adult version of TikTok, and a digital bank ID service. PhantomCard – new NGate-based malware adapted to the Brazilian market – was seen in multiple campaigns in Brazil in H2 2025.
Furthermore, after its global disruption in May, the Lumma Stealer infostealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – the HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from ESET telemetry.
Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla. Poland was most affected by this threat, with 32% of CloudEyE attack attempts in H2 2025 detected here.
For more information, check out the ESET Threat Report H2 2025 on WeLiveSecurity.com.
Like this:
Like Loading...
Related
This entry was posted on December 16, 2025 at 3:31 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ESET Threat Report: AI-driven attacks on the rise; NFC threats increase and evolve in sophistication
ESET Research has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2025. AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock – the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats.
On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators.
On the mobile platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate – a pioneer among NFC threats, first discovered by ESET– received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of remote access trojan (RAT) capabilities and NFC relay attacks, showing cybercriminals’ determination to pursue new attack avenues. RatOn was distributed through fake Google Play pages and ads mimicking an adult version of TikTok, and a digital bank ID service. PhantomCard – new NGate-based malware adapted to the Brazilian market – was seen in multiple campaigns in Brazil in H2 2025.
Furthermore, after its global disruption in May, the Lumma Stealer infostealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – the HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from ESET telemetry.
Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla. Poland was most affected by this threat, with 32% of CloudEyE attack attempts in H2 2025 detected here.
For more information, check out the ESET Threat Report H2 2025 on WeLiveSecurity.com.
Share this:
Like this:
Related
This entry was posted on December 16, 2025 at 3:31 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.