Mastodawn

According to ESET telemetry, threat actors keep finding new ways to exploit #NFC technology: detections surged by 78% compared to H1 2025; however, overall numbers remain low.
#NGate has demonstrated its relevance and is now enhanced with contact-stealing functionality. ESET researchers believe that this feature is designed to lay the groundwork for future attacks.
An NGate-based malware adapted for Brazil, #PhantomCard, targets banking clients via fake #Android apps that claim to improve security and privacy, distributed on pages featuring fabricated positive reviews.
And #RatOn combines RAT-like features with relay functionality, showcasing the determination of threat actors to evolve the methods of compromise. It’s distributed via fraudulent ads and apps, with the language targeting Czech and Slovak users.
Attackers remain faithful to tried-and-tested methods like #phishing calls and messages, while increasingly relying on psychological manipulation and #social engineering rather than exploiting just the technological aspect of NFC.
Read more about the evolution of NFC threat landscape in the latest #ESETThreatReport https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf

ESET Research Jan 13

In 2025, #ESETresearch saw a 62% year-over-year increase in detections of fake investment and snake oil scams – tracked as HTML/Nomani – amounting to hundreds of thousands of detections and over 64,000 unique URLs blocked.
The highest activity was reported from Czechia, Japan, Slovakia, Spain, and Poland. But there’s a silver lining to the yearly detection trend: H2 2025 saw a 37% drop compared to H1, hinting at possible improvement.
New trends seen in Nomani scams include spread to other platforms such as YouTube, better resolution and audio-video sync of deepfakes, and ads and phishing content mirroring trending news and personalities.
Scammers have also shortened campaign lifespans and leveraged user tracking to redirect non-targets to benign cloaking pages. Phishing page templates show signs of AI-generated content – such as checkbox emojis in code comments.
For more insight into these scams, read the dedicated section in the latest #ESETThreatReport https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf

ESET Research Jan 6

In H2 2025, #ESETresearch saw a thirtyfold increase in #CloudEyE detections, amounting to more than 100,000 hits over the course of six months. CloudEyE is a #MaaS downloader and cryptor used to conceal and deploy other malware, such as #Rescoms, #Formbook, and #Agent Tesla.
CloudEyE’s intital stage is a downloader that spreads via #PowerShell scripts, #JavaScript files, and #NSIS executables . These download the next stage – the cryptor component – with the final payload packed within. All of the CloudEyE stages are heavily obfuscated.
Most of CloudEyE attack attempts we registered in H2 2025 targeted Poland (32%). These attacks were part of a wave of email campaigns in Central and Eastern Europe ESET observed in September and October 2025.
In order to appear legitimate, the emails deployed in the campaign were often sent from compromised legitimate accounts and localized to the language of the targeted country. They were usually inquiries about invoice payments, package tracking, and purchase orders.
For further information on CloudEyE, cryptors, and more, head on over to the latest #ESETThreatReport: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf

ESET Research Dec 29

In 2025, #ESETresearch analyzed hundreds of hands-on-keyboard ransomware attacks, mostly hitting manufacturing, construction, retail, technology, and healthcare. Most of these were seen in the US (17%), Spain (5%), and France, Italy, and Canada (4% each).
Publicly reported victim numbers grew by almost 40% YoY (acc to ecrime.ch), and we expect to see that growth continue in 2026. #Qilin and #Akira gangs were, and probably will remain, the leading RaaS, but we think #Warlock gang is the one to watch closely.
Warlock, a newcomer operating as a closed group, stands out for its technical skill, with quick adoption of new intrusion techniques and novel attack chains, such as the abuse of vulnerable #Velociraptor chained with VS Code to establish a stealthy remote connection.
Headline-producing vectors such as SIM swaps, vishing, and 0-days will grab media attention in 2026, but most incidents will still start by exploiting weak passwords, unpatched systems, open RDP ports, and edge device vulnerabilities. EDR killers will keep surfacing.
For additional predictions, the most expensive ransomware attack of 2025, or the good news corner, read the whole ransomware section in #ESETThreatReport https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf

ESET Research Jul 25, 2025

In H1 2025, #ESETResearch telemetry recorded a 160% surge in #Android adware & clicker detections. Leading this spike is a colorfully branded threat #Kaleidoscope, responsible for 28% of all Android #adware detections in H1.
Kaleidoscope uses a deceptive #eviltwin technique – mimicking legitimate apps, generating intrusive ads, and tricking advertisers into paying fraudsters for fake views. The ads run in the background, even when the twin app isn’t active, slowing down device performance.
Distributed via third-party app stores or websites, Kaleidoscope has primarily affected users in Latin America, 🇹🇷 Türkiye, 🇪🇬 Egypt, and 🇮🇳 India.
One possible sign of an evil twin app is that its icon appears in a white circle without a label. Tapping it may do nothing except open the App info screen – demonstrating no functionality.
To avoid Kaleidoscope and other threats which use the evil twin technique, download apps only from official app stores, manage app permissions carefully, and be aware of how the #eviltwin apps (don’t) work.
Read more about this evolving adware threat in the latest #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

ESET Research Jul 18, 2025

#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

ESET Research Jul 11, 2025

In May 2025, #ESET participated in operations that largely disrupted the infrastructure of two notorious infostealers: #LummaStealer and #Danabot.
As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information.
Danabot was targeted by the #FBI and #DCIS, alongside #OperationEndgame led by #Europol and #Eurojust. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&C servers.
Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.
For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the #ClickFix social engineering attacks that we also cover in this issue of the #ESETThreatReport. In recent months, we have seen Danabot being delivered via ClickFix as well.
For more details on these two operations and on the ClickFix attacks, read the latest #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

ESET Research Jul 9, 2025

After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development.
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

ESET Research Feb 1, 2025

The threat landscape in H2 2024 was quite tumultuous when it comes to some of the most prominent infostealer threats. One of them, the notorious #RedLine Stealer, finally met its demise after being taken down by law enforcement in #OperationMagnus.

The power vacuum left by RedLine’s takedown will likely lead to a bump in the activity of other #MaaS infostealers – this was already reflected in a dramatic increase in detections for Lumma Stealer and Formbook.

In ESET telemetry data, Formbook replaced Agent Tesla as the No. 1 infostealer after its detections shot up by more than 200%. Despite operating since 2016, this MaaS threat is constantly under development, which explains why it is still used so frequently by cybercriminals.

Meanwhile, Lumma Stealer had a busy period: its numbers skyrocketed by almost 400% between H1 and H2 2024, it made for about 75% of cryptostealer detections, and even reared its ugly head in a campaign targeting players of Hamster Kombat 🐹⚔️, a mobile clicker game.

To read more about the upheaval in the infostealer threat landscape, head on over to the H2 2024 #ESETThreatReport: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22024.pdf

#ESETresearch

ESET Research Jan 8, 2025

With cryptocurrencies reaching record values in H2 2024, cryptocurrency wallet data was one of the prime targets of cybercriminals. In ESET telemetry, this was reflected in a rise in #cryptostealer detections across multiple platforms, specifically Windows, macOS, Android.

The increase was most dramatic on macOS, where Password Stealing Ware targeting cryptocurrency wallets more than doubled. Windows #cryptostealers grew by 56%, and Android financial threats, targeting banking apps and wallets, grew by 20%.

Read more about threats targeting cryptocurrency wallets on various platforms in the latest #ESETThreatReport from #ESETresearch: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22024.pdf