The cybersecurity company ESET has released its Threat Report for the first half of 2025, revealing a concerning rise in new social engineering techniques and advanced threats. The main focus is on ClickFix, an attack vector that has grown by over 500% and now accounts for 8% of all cyberattacks blocked by ESET globally, making it the second most common entry point after phishing.
Unlike other traditional vectors, ClickFix uses fake error messages that persuade users to manually copy and execute malicious commands in their system’s terminal or console. This tactic has proven highly effective as it bypasses multiple layers of automated security, directly exploiting human behavior. Moreover, it is a cross-platform threat: it affects Windows, Linux, and macOS systems equally.
“ClickFix represents a paradigm shift in malware delivery: the attack isn’t installed; it’s executed with the manipulated consent of the user,” explains Jiří Kropáč, director of ESET’s threat prevention laboratory. “This allows attackers to deploy a wide range of threats in a matter of seconds.”
SnakeStealer Dominates the Data Theft Malware Scene
Another revealing detail from the report is the shift in leadership among infostealers. While Agent Tesla is declining, SnakeStealer—also known as Snake Keylogger—has become the most detected information theft malware in ESET’s telemetry. Its ability to log keystrokes, extract passwords, capture screenshots, and analyze the clipboard makes it extremely effective for espionage and financial cybercrime.
ESET also actively contributed to the disruption of two global malware-as-a-service operations: Lumma Stealer and Danabot. Before their takedown, both threats had significantly increased their activity, by 21% and 52% respectively. The disruption of these networks is a key victory against the black market for ready-to-use cyber espionage tools.
The Ransomware Ecosystem Faces Internal Crisis
Although the number of ransomware attacks continues to rise, the report reveals a paradox in which ransom payments have decreased significantly. This trend is due to various factors: dismantling operations led by authorities, internal scams, and a growing distrust between victims and criminal groups.
One of the most notable cases is RansomHub, one of the most active ransomware-as-a-service (RaaS) platforms, which has been affected by internal strife and betrayals among affiliates, diminishing its credibility in the underground market.
Mobile Malware Shows No Signs of Slowing Down: Adware and NFC Fraud Surge
In the mobile realm, attacks have also intensified. Adware detections on Android have risen by 160%, driven by Kaleidoscope, a campaign distributing malicious apps disguised as legitimate ones, flooding devices with aggressive ads and slowing down performance.
Meanwhile, NFC-based fraud has increased more than 35-fold, according to ESET’s analysis. These threats have become sophisticated with tools like GhostTap, which enables the cloning of bank cards and loading them onto digital wallets for fraudulent contactless payments. The malware SuperCard X, offered as malware-as-a-service, turns any mobile device into a tool for contactless card theft, facilitating large-scale attacks by organized gangs.
A Semester Marked by the Evolution of Digital Crime
ESET’s Threat Report concludes that the first half of 2025 has been characterized by the adoption of stealthier, manipulative, and automated techniques, many designed to exploit human vulnerabilities and weaknesses in hybrid environments.
“ClickFix, NFC fraud, and the decline in ransomware payments are clear signs that cybercrime is mutating and adapting to the current defensive environment,” warns Kropáč. “Organizations must go beyond traditional solutions and adopt a proactive cyber resilience strategy, focusing on both technology and user education.”
Access the Full Report
The complete report ESET Threat Report H1 2025 is available at WeLiveSecurity.com, offering detailed analyses by threat type, platform, and region. Additionally, ESET researchers regularly share updates on X (formerly Twitter), BlueSky, and Mastodon.
Source: Security News