ESET Threat Report H2 2025 reveals the rise of AI-driven ransomware, evolving mobile NFC threats, and shifting cybercrime tactics
ESET Research’s latest Threat Report for the second half of 2025 highlights a rapidly evolving cyber threat landscape, marked by the growing use of artificial intelligence by cybercriminals, increasingly sophisticated mobile fraud, and a reshaped ransomware ecosystem. Covering the period from June to November 2025, the report draws on ESET telemetry and in-depth analysis from its global research teams.
One of the most notable developments is the emergence of PromptLock, identified by ESET as the first known AI-driven ransomware. Capable of generating malicious scripts dynamically, PromptLock signals a shift from experimental use of AI to real-world deployment in malware. While AI is still most commonly used to enhance phishing and scam content, this development points to a new phase in cybercrime innovation.
“AI-powered threats are no longer theoretical—they are actively reshaping the cyber risk landscape.”
— Jiří Kropáč, Director, ESET Threat Prevention Labs
Scam operations also showed clear signs of maturity during the period. ESET observed higher-quality deepfakes, indications of AI-generated phishing websites, and short-lived online advertising campaigns designed to evade detection. Investment scams linked to the Nomani scheme grew significantly year over year, expanding beyond social media platforms to include video-sharing services, before tapering off slightly toward the end of 2025.
Ransomware activity continued to escalate, with victim numbers surpassing the previous year well before the end of 2025. Established groups such as Akira and Qilin strengthened their dominance in the ransomware-as-a-service ecosystem, while newer players introduced stealthier evasion techniques. The continued spread of tools designed to disable endpoint detection highlights the ongoing pressure on enterprise security defenses.
On mobile platforms, NFC-based threats expanded sharply in both volume and sophistication. ESET recorded a substantial increase in NFC-related detections, driven by malware that combines contactless payment abuse with advanced capabilities such as remote access and data theft. New malware families and region-specific variants demonstrate attackers’ intent to exploit emerging technologies and local market conditions.
Meanwhile, once-prominent threats such as Lumma Stealer saw a dramatic decline following global disruption efforts earlier in the year, suggesting that coordinated takedowns can have lasting impact. At the same time, other malware loaders rose rapidly, underlining the constantly shifting nature of the threat ecosystem.
The report reinforces the need for continuous vigilance, strong endpoint protection, and threat intelligence grounded in both advanced analytics and human expertise, as attackers increasingly blend AI with traditional cybercrime techniques.
