A view of the H2 2025 menace panorama as seen by ESET telemetry and from the attitude of ESET menace detection and analysis consultants
16 Dec 2025
•
,
2 min. learn
The second half of the 12 months underscored simply how rapidly attackers adapt and innovate, with fast modifications sweeping throughout the menace panorama.
AI-powered malware moved from principle to actuality in H2 2025, as ESET found PromptLock, the primary identified AI-driven ransomware, able to producing malicious scripts on the fly. Whereas AI continues to be primarily used for crafting convincing phishing and rip-off content material, PromptLock – and the handful of different AI-driven threats recognized to at the present time – sign a brand new period of threats.
After its world disruption in Might, Lumma Stealer managed to briefly resurface – twice – however its glory days are almost definitely over. Detections plummeted by 86% in H2 2025 in comparison with the primary half of the 12 months, and a major distribution vector of Lumma Stealer – HTML/FakeCaptcha trojan, utilized in ClickFix assaults – almost vanished from our telemetry.
In the meantime, CloudEyE, also referred to as GuLoader, surged into prominence, skyrocketing nearly thirtyfold in ESET telemetry. Distributed by way of malicious e-mail campaigns, this malware-as-a-service downloader and cryptor is used to deploy different malware, together with ransomware, in addition to infostealer juggernauts similar to Rescoms, Formbook, and Agent Tesla.
On the ransomware scene, sufferer numbers surpassed 2024 totals properly earlier than 12 months’s finish, with ESET Analysis projections pointing to a 40% year-over-year improve. Akira and Qilin now dominate the ransomware-as-a-service market, whereas low-profile newcomer Warlock launched revolutionary evasion methods. EDR killers continued to proliferate, highlighting that endpoint detection and response instruments stay a major impediment for ransomware operators. H2 2025 additionally introduced an disagreeable flashback to the Petya/NotPetya ransomware, when ESET researchers uncovered HybridPetya – a brand new derivate of the notorious malware able to compromising trendy UEFI-based techniques.
On the Android platform, NFC threats continued to develop in scale and class, with an 87% improve in ESET telemetry and a number of other notable upgrades and campaigns noticed in H2 2025. NGate – a pioneer amongst NFC threats, first described by ESET in 2024 – acquired an improve within the type of contact stealing, probably laying the groundwork for future assaults. RatOn, fully new malware on the NFC fraud scene, introduced a uncommon fusion of RAT capabilities and NFC relay assaults, exhibiting cybercriminals’ willpower to pursuing new assault avenues.
Fraudsters behind the Nomani funding scams have additionally refined their methods – we now have noticed higher-quality deepfakes, indicators of AI-generated phishing websites, and more and more short-lived advert campaigns to keep away from detection. In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the development declining barely in H2 2025.
Comply with ESET analysis on X, Bluesky and Mastodon for normal updates on key tendencies and prime threats.To study extra about how menace intelligence can improve the cybersecurity posture of your group, go to the ESET Risk Intelligence web page.
