The first half of 2026 shows how attackers continue to improve the efficiency and scalability of their operations. Rather than relying on entirely new methods and tools, they are quickly adapting established techniques to new platforms, technologies, and user behaviors.
Artificial intelligence is playing a growing role in this development. In H1 2026, ESET analyzed nearly 900,000 AI skills – small functional components used by AI agents – and identified tens of thousands of suspicious and thousands of outright malicious instances. The number of AI skills within this new ecosystem is growing rapidly “as we speak”, further expanding the attack surface.
AI is also beginning to appear within malware itself. Shortly after the emergence of the first AI-powered ransomware in 2025, ESET researchers identified PromptSpy, the first known Android malware to use generative AI in its execution flow. The malware leverages AI – specifically, Google’s Gemini – to interpret user interface elements and adapt across devices and environments without relying on hardcoded behavior. While still rare, PromptSpy illustrates the potential for increased flexibility in future threats – although guardrails against abuse included in LLMs are likely slowing down the adoption.
ClickFix – a social engineering technique leveraging fake error messages – has expanded beyond fake CAPTCHA prompts into AI-themed help pages, browser extensions, and cloud authentication scenarios. ESET detections of this vector more than doubled between H2 2025 and H1 2026, indicating sustained activity and adaptation.
Phishing campaigns are also evolving in response to user behavior. QR code phishing – also known as quishing – has reached record levels in ESET telemetry, with attackers embedding malicious links in QR codes to bypass cursory inspection and shift user interaction to mobile devices, while exploiting the implicit trust many people place in the black-and-white squares.
Last but not least, ransomware activity showed no signs of slowing down, with continued use of EDR killers – tools designed to disable security software during attacks. ESET Research has documented over 100 EDR killers used in the wild, with new variants appearing regularly. At the same time, data from multiple sources shows that a declining share of victims are choosing to pay ransoms, suggesting some progress in mitigation and response measures.
To learn more about how threat intelligence can enhance the cybersecurity posture of your organization, visit the ESET Threat Intelligence page.







