ESET Research Unveils Semi-Annual Report Covering June to November 2025
ESET Research has released its semi-annual report, analyzing trends in the threat landscape observed through ESET telemetry and expert analysis from ESET labs.
Key Findings
- In the second half of 2025, malware using artificial intelligence (AI) transitioned from conceptual to practical applications. ESET identified PromptLock, the first known AI-driven ransomware, capable of dynamically generating malicious scripts.
- While AI is currently primarily used to produce more realistic phishing and scam content, PromptLock, along with a few other emerging AI-based threats, marks the beginning of a new era in the evolution of cyber threats.
- Operators behind Nomani investment scams have refined their methods, with notable improvements in deepfake quality, AI-generated phishing sites, and ephemeral advertising campaigns to evade detection mechanisms.
Expert Insights
According to Jiří Kropáč, Director of Threat Prevention Labs at ESET, "The operators behind Nomani investment scams have perfected their methods. We've seen a significant improvement in the quality of deepfakes, the emergence of AI-generated phishing sites, and ephemeral advertising campaigns to evade detection mechanisms."
Threat Landscape
- ESET telemetry shows a 62% increase in Nomani scam detections over the past year, despite a slight slowdown in the second half of 2025. These scams, initially spread on Meta, have appeared on other platforms, including YouTube.
- On the ransomware front, the number of victims has surpassed 2024 figures well before the end of the year, with ESET Research projections indicating a 40% annual increase. The Akira and Qilin groups have emerged as key players in the "ransomware as a service" model, while Warlock, a new entrant, has introduced novel evasion techniques.
- "EDR Killers" continue to proliferate, confirming that detection and response solutions remain a significant obstacle for cybercriminals.
Notable Trends
- After a global disruption in May, LummaStealer attempted two brief reappearances but has since declined. Detections have dropped by 86% in the second half of 2025 compared to the first half, and one of its primary vectors, the HTML/FakeCaptcha Trojan used in ClickFix attacks, has nearly disappeared from ESET telemetry.
- In contrast, CloudEyE (also known as GuLoader) has experienced spectacular growth, with a nearly thirty-fold increase according to ESET data. Distributed via malicious email campaigns, this malware download and encryption service is used to deploy other malicious payloads, including ransomware and widely spread information stealers like Rescoms, Formbook, and Agent Tesla. Poland was the most affected country, accounting for 32% of detected CloudEyE attacks in the second half of 2025.
Mobile Threats
- NFC attacks have gained momentum and sophistication, as evidenced by an 87% increase in ESET telemetry.
- NGate, a pioneer in NFC threats, has evolved to include contact theft, paving the way for more targeted attacks. RatOn, a new, unprecedented NFC malware, combines Trojan and remote access (RAT) functionalities with NFC relay attacks, demonstrating the creativity of cybercriminals. RatOn was distributed via fake Google Play pages and advertisements mimicking adult TikTok or digital banking services. PhantomCard, an NGate variant adapted to the Brazilian market, was observed in several local campaigns.
Full Report
For more information, consult the complete report available for free on WeLiveSecurity.com in both English and French.
