ESET Threat Report H1 2025
A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
26 Jun 2025
•
,
2 min. read
From novel social engineering techniques to sophisticated mobile threats and major infostealer disruptions, the threat landscape in the first half of 2025 was anything but boring.
One of the most striking developments this period was the emergence of ClickFix, a new, deceptive attack vector that skyrocketed by over 500% compared to H2 2024 in ESET telemetry. Now the second most common attack vector after phishing, ClickFix manipulates internet users into executing malicious commands under the guise of fixing a fake error. The payloads at the end of ClickFix attacks vary widely – from infostealers to ransomware and even to nation-state malware – making this a versatile and formidable threat across Windows, Linux, and macOS.
The infostealer landscape also saw significant shifts. With Agent Tesla fading into obsolescence, SnakeStealer (also known as Snake Keylogger) surged ahead, becoming the most detected infostealer in our telemetry. Meanwhile, ESET contributed to major disruption operations targeting Lumma Stealer and Danabot, two prolific malware-as-a-service threats.
On the Android front, adware detections soared by 160%, driven largely by a sophisticated new threat dubbed Kaleidoscope. This malware uses a deceptive “evil twin” strategy to distribute malicious apps that bombard users with intrusive ads, degrading device performance. At the same time, NFC-based fraud shot up more than thirty-five-fold, fueled by phishing campaigns and inventive relay techniques. While the overall numbers remain modest, this jump highlights the rapid evolution of the criminals’ methods and their continued focus on exploiting NFC technology. Each new iteration of NFC threats – from NGate to GhostTap, and most recently SuperCard – demonstrates how attackers adapt to new security measures.
The ransomware scene descended (even further) into chaos, with fights between rival ransomware gangs impacting several players including the top ransomware as a service – RansomHub. Yearly data from 2024 shows that while ransomware attacks and the number of active gangs have grown, ransom payments saw a significant drop. This discrepancy may be the result of takedowns and exit scams that reshuffled the ransomware scene in 2024, but also partially due to diminished confidence in the gangs’ ability to keep their side of the bargain.
Follow ESET research on X, Bluesky and Mastodon for regular updates on key trends and top threats.
To learn more about how threat intelligence can enhance the cybersecurity posture of your organization, visit the ESET Threat Intelligence page.
