H2 2025: AI-Malware Emerges as Ransomware Surges

H2 2025: AI-Malware Emerges as Ransomware Surges
December 16, 2025 at 12:00 AM

The second half of 2025 underscored how quickly adversaries adapt, with AI-driven malware moving from concept to reality and ransomware activity breaking records.

AI goes operational

  • ESET uncovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on demand.
  • While AI remains widely used to craft persuasive phishing and scam content, PromptLock and a handful of similar threats signal a new era of AI-enabled attacks.

Infostealers: decline and displacement

  • After a global disruption in May, Lumma Stealer briefly resurfaced twice, but detections fell 86% versus H1 2025.
  • A major delivery vector for Lumma — the HTML/FakeCaptcha trojan used in ClickFix attacks — largely disappeared from telemetry.

Delivery pivots: CloudEyE/GuLoader explodes

  • CloudEyE (aka GuLoader) surged nearly 30x in ESET telemetry, primarily via malicious email campaigns.
  • As a malware-as-a-service downloader and cryptor, it deploys other threats, including ransomware and infostealer heavyweights like Rescoms, Formbook, and Agent Tesla.

Ransomware: record pace and new tactics

  • Victim counts surpassed 2024 totals well before year-end, with projections pointing to a 40% year-over-year increase.
  • Akira and Qilin now dominate the ransomware-as-a-service space, while low-profile newcomer Warlock introduced innovative evasion techniques.
  • EDR killers spread further, underscoring how endpoint detection and response remains a key hurdle for operators.
  • ESET researchers also exposed HybridPetya, a Petya/NotPetya derivative capable of compromising modern UEFI-based systems.

Android NFC threats escalate

  • NFC-based attacks on Android grew 87% in ESET telemetry, with notable upgrades and new campaigns.
  • NGate, first detailed in 2024, added contact stealing—likely groundwork for future fraud.
  • RatOn emerged with a rare blend of RAT features and NFC relay capabilities, highlighting new mobile-fraud avenues.

Investment scams sharpen their edge

  • Nomani scammers improved quality and stealth, using higher-fidelity deepfakes, AI-generated phishing sites, and short-lived ad campaigns to dodge detection.
  • Detections of Nomani scams rose 62% year over year, though the trend eased slightly in H2 2025.

Source
WeLiveSecurity

Back…