ESET Threat Report H2 2025

AI’s transition from a research curiosity to a weaponized tool reshaped the threat landscape in H2 2025. PromptLock demonstrated that generative models can craft malicious code on the fly, lowering the barrier for sophisticated ransomware campaigns. While AI continues to dominate phishing and deep‑fake scams, its integration into malware pipelines signals a new arms race where defenders must anticipate algorithmic adaptations rather than static signatures.

At the same time, traditional malware families showed divergent trajectories. Lumma Stealer, once a prolific credential thief, saw an 86% detection decline as its HTML/FakeCaptcha delivery method evaporated, suggesting successful disruption by security vendors. Conversely, CloudEyE (GuLoader) surged nearly thirty‑fold, operating as a malware‑as‑a‑service platform that distributes ransomware, infostealers like Rescoms and Agent Tesla, and acts as a cryptor. This shift underscores the growing commoditization of threat tools, enabling low‑skill actors to launch high‑impact attacks with minimal infrastructure.

Ransomware volumes eclipsed 2024 levels, with a projected 40% year‑over‑year increase. Established RaaS players Akira and Qilin solidified market share, while newcomers such as Warlock introduced novel evasion techniques that bypass endpoint detection and response (EDR) solutions. The emergence of HybridPetya, a UEFI‑targeting derivative of the infamous NotPetya, raises concerns about firmware‑level persistence. Parallelly, Android NFC threats rose 87%, and investment scams like Nomani leveraged AI‑generated deepfakes, highlighting the multi‑vector nature of modern cyber risk. Organizations must therefore adopt layered, AI‑aware security architectures and prioritize threat‑intel integration to stay ahead of these evolving attacks.