Artificial intelligence has not replaced ransomware, phishing, or banking trojans. Cybercriminals are incorporating it into techniques that were already effective to produce campaigns more quickly, personalize scams, and adapt malware to different environments. The Threat Report H1 2026 from ESET reflects this evolution and identifies Spain as the third country with the most detections in the company’s telemetry between December 2025 and May 2026.
The key points of AI-assisted cybercrime in 20 seconds
- Spain accounted for 7.43% of ESET detections, behind Japan with 10.15% and Poland with 7.77%.
- Traditional threats still dominate: phishing, ransomware, info stealers, and banking trojans remain, but they now incorporate more automated processes.
- ESET analyzed nearly 900,000 AI agent capabilities, with tens of thousands classified as suspicious and thousands deemed malicious.
- PromptSpy uses Gemini during its operation to interpret Android device interfaces and adjust certain actions.
- Detections related to ClickFix more than doubled compared to the second half of 2025.
- Spain ranks second in quishing, with 17% of global detections recorded by ESET.
- Ransomware is using more specialized tools, including over a hundred programs designed to disable EDR solutions.
The percentages in the report should be interpreted within their context. They do not represent the totality of attacks that occurred in each country, but rather the detections logged by ESET’s products and systems. Nevertheless, they provide insights into trends, allow comparisons across periods, and highlight techniques that are growing among protected users and organizations.
The main message is not that a completely new generation of threats has emerged. The transformation is in how attacks are prepared and executed. Tools that previously required more time, technical expertise, or manual effort can now leverage generative models to craft messages, translate, modify code, target specific victims, or respond to defenses’ changes.
Josep Albors, Head of Research and Awareness at ESET Spain, summarized this evolution during the report presentation: known threats are not being replaced, but are becoming more agile and adaptable. Automation allows criminal groups to test more variants and reduces the time between a defensive measure and the appearance of an alternative.
Spain ranks third worldwide in ESET telemetry, with 7.43% of detections, compared to 10.15% for Japan and 7.77% for Poland. It also holds second place in QR code phishing campaigns, only behind the United States.
Malware begins to use generative models during attacks
In recent years, the most visible application of AI in cybercrime was in social engineering. Attackers could generate emails with fewer errors, adapt tone to specific sectors, or craft messages in languages they didn’t master. ESET’s report shows an additional step: some developers are now integrating generative models directly into malware operations.
PromptSpy is the clearest example. ESET describes it as the first known malware for Android that uses generative AI within its execution flow. The program sends structured information about the device’s screen to Gemini and receives instructions to interact with the interface.
This capability allows it to recognize buttons, menus, and other elements even when they differ between manufacturers or Android versions. Rather than relying solely on fixed coordinates and scripted sequences for a specific device model, it can request the AI system to interpret the screen and indicate where to tap or what gesture to perform.
PromptSpy uses this mechanism to enhance persistence, for example, by monitoring the recent apps list to prevent the user from closing or deleting it. It also features remote control functions via VNC, can take screenshots, log activity, and observe displayed information on the device.
The significance of this discovery needs some nuance. PromptSpy was not distributed through Google Play, and available evidence suggests it was part of a limited or experimental campaign targeting Spanish-speaking users, particularly in Argentina. The model and prompt were embedded within the code, and Gemini was used for specific actions rather than autonomous control of the malware.
ESET acknowledges that such cases remain rare. Technical barriers, query costs, reliance on connectivity, and security controls of the models themselves slow broader adoption. However, PromptSpy is relevant because it shows a possible direction: malware that is less dependent on fixed rules and capable of interpreting visual changes without requiring updates for each device.
The same concern applies to the capabilities used by AI agents. These modules add functions to query services, manipulate files, run commands, or automate processes. While useful for companies and developers, they can also conceal instructions for credential theft, backdoors, or data exfiltration.
ESET analyzed nearly 900,000 capabilities during the studied period, finding tens of thousands of suspicious components and thousands believed to be malicious. An independent investigation published in May examined about 4,000 capabilities from various markets and detected payloads aimed at credential theft, backdoor installation, and data leaks, along with critical flaws in 13.4% of the samples reviewed.
The risk is not only in deploying malicious modules. Legitimate capabilities can be manipulated via web, email, or document instructions, leveraging permissions for malicious actions. Companies should review code, restrict tools, and prevent agents from unrestrained access to credentials, repositories, and internal systems.
Social engineering and ransomware continue to be effective
AI provides speed, but criminals still rely on a known weak point: convincing a person to perform the required action. ClickFix detections more than doubled from the second half of 2025 to the first half of 2026.
These campaigns feature false error messages prompting users to copy commands, open consoles, or follow supposed fixes. Victims think they are solving a CAPTCHA, browser issue, or authentication problem, but in reality, they are installing malware voluntarily.
This method avoids the need to exploit complex technical vulnerabilities. The attacker turns installation instructions into part of the scam, bypassing protections that would block traditional downloads.
ClickFix has also adapted to AI popularity. AI-Fix uses fake tutorials or pages related to installing AI models, apps, or extensions. CrashFix mimics browser errors to direct victims to malicious commands. While the appearance changes, the core mechanism remains: crafting a believable explanation to trick users into executing code.
Quishing exploits similar trust. QR codes hide destination URLs and shift interaction to mobile devices, where full domain verification is harder. Attackers embed these in emails, invoices, documents, posters, or stickers to direct users to fake bank sites, payment platforms, or corporate portals.
Spain accounted for 17% of the quishing detections recorded by ESET, making it second globally. This may be linked to the widespread use of QR codes and mobile services, but telemetry alone cannot confirm that Spain has the second-highest absolute number of victims.
Ransomware also shows no signs of disappearing. Groups are better targeting victims, investigating their financial capacity, and planning system neutralization before encryption. The group The Gentlemen, appearing in 2025, has become highly active, focusing on industrial and tech sectors, especially in Europe.
Their campaigns demonstrate the advanced specialization of ransomware-as-a-service models. Affiliates use tools to move within networks, hide communications, and shorten the window between initial access and encryption. Collectively, they represented about 10% of examined victim samples during certain periods in 2026.
ESET has documented over 100 EDR Killer tools used in real attacks. These aim to disable or interfere with endpoint detection and response programs before deploying ransomware. Some exploit signed, vulnerable drivers, enabling high-privilege operations without building custom components.
At the same time, a smaller proportion of victims pay the ransom. While encouraging, this metric is incomplete—many organizations recover using backups or negotiate privately without disclosing incidents. Others pay ransom to avoid public disclosure of stolen data.
This evolution underscores the need to strengthen defenses beyond installed tools. Organizations should enable phishing-resistant multifactor authentication, network segmentation, isolated backups, privilege controls, behavioral monitoring, and clear incident response plans. Employee training should also evolve, moving away from relying on spelling errors or poor translations as red flags.
AI allows creating more variants and making them more convincing, but it doesn’t make attackers invincible. It also helps defenders classify alerts, identify patterns, and reduce response times. Ultimately, success depends on how well organizations integrate technology into solid processes. Having an AI solution is not enough if shared credentials, unsegmented networks, or accessible backups from compromised systems remain.
FAQs
Is Spain the third country in the world with the most cyberattacks?
The figure refers to detections in ESET’s telemetry from December 2025 to May 2026. Spain accounted for 7.43% of the total recorded by the company, but this does not represent all incidents worldwide.
Does AI now create malware autonomously?
Tools exist to assist in generating or modifying code, and cases like PromptSpy involve querying a model during operation. However, most operations still require planning, infrastructure, and human decisions.
What are malicious capabilities for AI agents?
They are modules that extend an agent’s functions but can include code or instructions aimed at stealing data, installing backdoors, modifying systems, or leveraging agent permissions.
How can organizations reduce this risk?
Limit permissions, review AI modules before deployment, protect credentials, segment networks, maintain isolated backups, and require human confirmation for sensitive or irreversible actions.
via: welivesecurity

