The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape.
AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats.
After its global disruption in May, Lumma Stealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from our telemetry.
Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold in ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla.
On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators. H2 2025 also brought an unpleasant flashback to the Petya/NotPetya ransomware, when ESET researchers uncovered HybridPetya – a new derivate of the infamous malware capable of compromising modern UEFI-based systems.
On the Android platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate – a pioneer among NFC threats, first described by ESET in 2024 – received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of RAT capabilities and NFC relay attacks, showing cybercriminals’ determination to pursuing new attack avenues.
Fraudsters behind the Nomani investment scams have also refined their techniques – we have observed higher-quality deepfakes, signs of AI-generated phishing sites, and increasingly short-lived ad campaigns to avoid detection. In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the trend declining slightly in H2 2025.
Follow ESET research on X, Bluesky and Mastodon for regular updates on key trends and top threats.To learn more about how threat intelligence can enhance the cybersecurity posture of your organization, visit the ESET Threat Intelligence page.
