ESET Research has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2025. AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock – the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats.
“Fraudsters behind the Nomani investment scams have also refined their techniques – we have observed higher-quality deepfakes, signs of AI-generated phishing sites, and increasingly short-lived ad campaigns to avoid detection,” says Jiří Kropáč, Director of ESET Threat Prevention Labs. In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the trend declining slightly in H2 2025. Nomani scams have recently been expanding from Meta to other platforms, including YouTube.
On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators.
On the mobile platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate – a pioneer among NFC threats, first discovered by ESET– received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of remote access trojan (RAT) capabilities and NFC relay attacks, showing cybercriminals’ determination to pursue new attack avenues. RatOn was distributed through fake Google Play pages and ads mimicking an adult version of TikTok, and a digital bank ID service. PhantomCard – new NGate-based malware adapted to the Brazilian market – was seen in multiple campaigns in Brazil in H2 2025.
Furthermore, after its global disruption in May, the Lumma Stealer infostealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – the HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from ESET telemetry.
Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla. Poland was most affected by this threat, with 32% of CloudEyE attack attempts in H2 2025 detected here.
