The Report is based on data collected between June and November 2025 and signals an evolution in the techniques used in scams, with a growing use of deepfakes and AI-generated content. However, some known threats saw a sharp decline in detections in the second half of the year
ESET, a global leader in the cybersecurity market, has published the latest edition of the Threat Report, which summarizes the threat trends observed in ESET telemetry and analyzed by threat detection and research experts in the period between June and November 2025. In the second half of the year, AI-based malware moved from theory to reality: ESET discovered PromptLock, the first known AI-driven ransomware, capable of dynamically generating malicious scripts. While AI is still primarily used to create more convincing phishing and scam content, PromptLock – along with a few other AI-driven threats identified so far – signals the beginning of a new era of threats.
“Nomani investment scams have shown a significant evolution in the techniques used: higher quality deepfakes, AI-generated phishing site signals, and increasingly shorter advertising campaigns designed to reduce the chances of detection were observed,” says Jiří Kropáč, Director of ESET Threat Prevention Labs. In ESET telemetry, Nomani scam detections grew 62% year-on-year, with the trend declining slightly in the second half of 2025. Nomani scams are also expanding from Meta to other platforms, including YouTube.
As for ransomware, the number of victims exceeded 2024 levels well before the end of the year, with projections from ESET Research indicating a 40% increase year-on-year. Akira and Qilin now dominate the ransomware-as-a-service market, while newcomer Warlock, while low-profile, has introduced innovative evasion techniques. The spread of EDR killers has continued, demonstrating that endpoint detection and response tools continue to represent a significant obstacle for ransomware operators.
On the mobile platform, threats based on Near Field Communication (NFC) technology have continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several relevant updates and campaigns observed in the second half of 2025. NGate, a pioneer among NFC threats and first discovered by ESET, has received an update in the form of contact theft, likely setting the stage for future attacks. RatOn, a completely new malware in the NFC fraud landscape, introduced a rare combination of capabilities from remote access trojan (RAT) and NFC relay attacks, demonstrating the determination of cybercriminals to explore new attack vectors. RatOn was distributed via fake Google Play pages and ads that mimicked an adult version of TikTok and a banking digital identity service. PhantomCard, a new malware based on NGate and adapted to the Brazilian market, was observed in multiple campaigns in Brazil in the second half of 2025.
Additionally, after the global outage in May, infostealer Lumma Stealer managed to briefly resurface – twice – but its heyday appears to be over. Detections plummeted 86% in the second half of 2025 compared to the first half of the year, and a major distribution vector for Lumma Stealer – the HTML/FakeCaptcha Trojan used in the ClickFix attacks – has all but disappeared from ESET telemetry.
Meanwhile, CloudEyE, also known as GuLoader, has quickly risen to prominence, with a nearly thirty-fold increase according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to distribute other malware, including ransomware and infostealers such as Rescoms, Formbook, and Agent Tesla. Poland was the most affected country, with 32% of CloudEyE attack attempts detected in the second half of 2025.
