Full Report
A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
Analysis Summary
# Incident Report: H2 2025 Threat Landscape Summary
## Executive Summary
The second half of 2025 saw rapid innovation in the threat landscape, marked by the emergence of the first known AI-driven ransomware (PromptLock) and a significant surge in advanced malware loaders like CloudEyE. Ransomware victims increased by 40% year-over-year, driven by Akira and Qilin dominance, while specialized threats like HybridPetya demonstrated capacity to target modern UEFI systems. Mobile threats also advanced, with sophisticated NFC fraud techniques evolving.
## Incident Details
- **Discovery Date:** Ongoing throughout H2 2025 (Based on ESET Telemetry)
- **Incident Date:** H2 2025 (July 1, 2025 – December 31, 2025)
- **Affected Organization:** Globally observed, aggregated via ESET telemetry.
- **Sector:** Diverse (Various sectors targeted by ransomware, infostealers, and bank fraud schemes).
- **Geography:** Global.
## Timeline of Events
The timeline reflects trends and significant developments rather than a single, linear attack chain:
### Initial Access
- **Date/Time:** Ongoing throughout H2 2025.
- **Vector:** Malicious email campaigns (for CloudEyE distribution); Phishing/Scams (for Nomani investment fraud); EDR attack surfaces.
- **Details:** CloudEyE surged nearly thirtyfold, distributed via email campaigns to drop secondary malware. PromptLock suggested AI capability for dynamic script generation.
### Lateral Movement
- **Date/Time:** Post-initial access.
- **Vector:** Not detailed for specific incidents, but EDR killers proliferated, indicating a focus on disabling security controls to facilitate movement.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing.
- **Details:** Ransomware victims showed a 40% YoY increase, with Akira and Qilin as dominant RaaS operations. Android platforms saw an 87% surge in NFC threats, including contact stealing (NGate upgrade) and combined RAT/NFC relay attacks (RatOn). Nomani investment scams showed refinement using higher-quality deepfakes and AI-generated phishing sites.
### Detection & Response
- **Date/Time:** Ongoing telemetry monitoring.
- **Details:** ESET identified PromptLock, the first AI-driven malware. Detections for Lumma Stealer plummeted by 86%, suggesting its primary distribution vector (HTML/FakeCaptcha trojan in ClickFix attacks) faded. Researchers uncovered HybridPetya targeting UEFI systems.
## Attack Methodology
| Category | Observed Techniques/Malware |
| :--- | :--- |
| **Initial Access** | Malicious Email Campaigns (distributing CloudEyE, Formbook, etc.); AI-generated phishing content (Nomani scams). |
| **Persistence** | Not explicitly detailed across broad threats, but implied by the need to overcome EDR solutions. |
| **Privilege Escalation** | Not explicitly detailed for specific initial vectors, likely achieved by leveraging compromised downloaded payloads (e.g., ransomware). |
| **Defense Evasion** | Proliferation of EDR killers; Warlock ransomware introducing innovative evasion techniques. |
| **Credential Access** | Lumma Stealer briefly resurfaced (though detections dropped significantly). |
| **Discovery** | Not explicitly detailed for broad threats. |
| **Lateral Movement** | Not explicitly detailed; disabling EDR indicates a precursor to movement. |
| **Collection** | NGate upgrade added contact stealing capability on Android platforms. |
| **Exfiltration** | Primarily data encrypted by ransomware (Akira, Qilin). |
| **Impact** | Encryption/Extortion (Ransomware); Financial Fraud (NFC attacks, Nomani scams); System compromise (HybridPetya on UEFI). |
## Impact Assessment
- **Financial:** Unspecified aggregate costs, but significant due to a **40% year-over-year increase in ransomware victims**. Financial fraud intensified via sophisticated NFC and investment scams.
- **Data Breach:** High risk of data loss/encryption via dominant RaaS operators (Akira, Qilin).
- **Operational:** Disruption caused by aggressive ransomware deployment and the threat of system compromise via firmware-level attacks (HybridPetya).
- **Reputational:** Risk associated with Nomani investment scams utilizing highly convincing deepfakes and AI content.
## Indicators of Compromise
*(Note: As this is a high-level threat landscape report, specific IOCs are general threat families rather than definitive network artifacts. IPs/URLs are omitted as per instruction baseline.)*
- **Network Indicators:** High volume distribution of CloudEyE payloads via email. Campaigns linked to Akira/Qilin RaaS operations.
- **File Indicators:** PromptLock (AI-driven ransomware); HybridPetya (UEFI targeting malware); RatOn (RAT/NFC fusion).
- **Behavioral Indicators:** Use of EDR killer technology; NFC relay techniques; AI generation capabilities in malware scripts.
## Response Actions
- **Containment:** Not specified for specific organizational incidents, but ESET telemetry monitored the decline of older threats (Lumma Stealer) and the rise of new ones.
- **Eradication:** Implied defense against EDR killers and upgrading defenses against UEFI-targeting threats.
- **Recovery:** Data recovery processes likely engaged for the increased volume of ransomware victims.
## Lessons Learned
- AI has moved from theoretical use to operational reality in malware creation (PromptLock). Security solutions must rapidly evolve to counter generative threats.
- Persistent focus on endpoint security (EDR) remains critical, as demonstrated by the continued proliferation of EDR killers.
- Niche platforms like Android NFC are being targeted with increasing complexity (merging RAT and relay capabilities).
- Traditional malware distribution methods (like those used by Lumma Stealer) are becoming obsolete faster than expected.
## Recommendations
- Implement advanced threat detection capable of analyzing and identifying dynamically generated, AI-created malicious code.
- Review and strengthen defenses specifically targeting UEFI firmware integrity, given the emergence of HybridPetya.
- Enhance mobile security monitoring to detect unusual NFC activity or RAT behavior on Android devices.
- Develop robust verification protocols to counter sophisticated deepfake and AI-generated phishing used in high-value scams.