ESET Research Reveals Key Trends in Cyber Threats: Threat Report Highlights

ESET Research has unveiled its latest Threat Report, providing an in-depth look at the evolving landscape of cyber threats observed from June to November 2025. This report is particularly significant as it showcases major developments in malware and ransomware, shedding light on how cybercriminals are increasingly leveraging advanced technologies to carry out their malicious activities.

The Rise of AI-Powered Malware

In a groundbreaking shift, AI-powered malware has transitioned from a theoretical concern to a tangible reality during the second half of 2025. The emergence of PromptLock, the first AI-driven ransomware, marks a pivotal moment in cyber threats. This innovative malware is capable of generating malicious scripts on the fly, highlighting a new level of sophistication in cyber-attacks. Although AI’s primary application has been crafting convincing phishing and scam content, the introduction of PromptLock and a few other AI-enabled threats indicates a significant evolution in cybercrime tactics.

Increasing Use of Advanced Scams

Fraudulent schemes, such as the Nomani investment scams, have adapted and refined their methods significantly. According to Jiří Kropáč, Director of ESET Threat Prevention Labs, these fraudsters are now utilizing higher-quality deepfakes and AI-generated phishing sites, along with short-lived ad campaigns crafted to evade detection. The report indicates a remarkable 62% increase in detections of Nomani scams year-over-year, although there was a slight downturn observed in the latter part of 2025. Furthermore, the geographical spread of these scams has extended from Meta platforms to include other mediums like YouTube, widening their reach and impact.

Ransomware Threat Landscape Intensifies

The ransomware scenario is also experiencing alarming growth, with the number of victims reportedly surpassing 2024 figures well before the end of the year. Projections indicate a staggering 40% year-over-year increase in ransomware incidents. Currently, the Akira and Qilin ransomware groups dominate the ransomware-as-a-service market, indicating a shift toward more organized and sophisticated cybercrime operations.

Moreover, a new entrant, Warlock, has emerged with advanced evasion techniques, making it difficult for traditional security measures to detect these threats. The ongoing proliferation of EDR killers serves as a reminder that robust endpoint detection and response mechanisms remain a critical barrier against ransomware operators.

Growth of NFC Threats

On the mobile platform, threats targeting NFC technologies have been on the rise, with ESET telemetry showing an 87% increase in incidents related to these vulnerabilities. Notably, NGate, recognized as a pioneer among NFC threats, has undergone significant upgrades, introducing contact-stealing capabilities that could set the stage for future attacks.

In addition, a novel malware variant called RatOn has been identified, demonstrating a unique combination of remote access trojan (RAT) capabilities and NFC relay attacks. This malware was distributed through misleading Google Play pages and ads for adult-themed applications, emphasizing the resourcefulness of cybercriminals in exploring new attack vectors. In Brazil, the PhantomCard, an adaptation of NGate, has been active in multiple campaigns throughout the latter half of 2025.

Emergence and Decline of Notable Malware

Following its global disruption in May, the Lumma Stealer infostealer made a brief resurgence, appearing twice but failing to sustain its previous impact. In the latter half of 2025, detections plummeted by 86% compared to earlier in the year, and one of its main distribution vectors—the HTML/FakeCaptcha trojan—has nearly disappeared from ESET telemetry data.

On the other hand, CloudEyE, also known as GuLoader, has seen a dramatic rise, with attack attempts increasing almost thirtyfold according to ESET telemetry. Distributed primarily through malicious email campaigns, this malware-as-a-service downloader and cryptor deploys various types of malware, including ransomware and infostealers like Rescoms, Formbook, and Agent Tesla. Poland has been particularly affected, accounting for 32% of the CloudEyE attack attempts in the latter half of 2025.

The ESET Threat Report underlines the dynamic nature of the cybersecurity landscape, pointing to heightened risks that require continuous vigilance and advanced protective measures.