ESET Threat Report
H1 2025
A view of the 2025 H1 cyber threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.
Threat Landscape Trends
ClickFix: The New Social Engineering Threat
ESET's detection of ClickFix/FakeCaptcha surged by 517% in six months, tricking users into running malicious commands via fake error messages. It now accounts for 8% of blocked attacks, and targets Windows, Linux, and macOS with threats like ransomware and spyware.
SnakeStealer Takes the Infostealer Crown
SnakeStealer has overtaken Agent Tesla as the most detected infostealer in H1 2025, stealing passwords, keystrokes, and screenshots. Having more than doubled in number at +111%, compared to H2 2024, it now represents nearly 20% of all infostealer detections, showing how data theft is evolving fast.
Cracking Down on Infostealers
ESET joined global law enforcement to disrupt Lumma Stealer, which had grown 21% in early 2025, and Danabot, which surged 52% with attacks hitting the US (44%) and Poland (29%). These coordinated efforts have dealt major blows to rising threats.
Android NFC Fraud Explodes
NFC fraud surged over thirty-fivefold from H2 2024 due to new malware variants and relay scams. NGate relays NFC data from payment cards through compromised phones for fraudulent ATM withdrawals, while GhostTap steals card details to load into digital wallets for contactless payments. SuperCard X, which presents itself as a harmless NFC-related app, quietly captures and relays card data for quick payouts.
Kaleidoscope: Novel Adware
Android adware detection rose 160% in H1 2025, with a novel threat called Kaleidoscope accounting for 28%. It uses an "evil twin" trick to relay malware, hitting regions reliant on unofficial apps the hardest.
Be In The Know.
Read the ESET Threat Report.
Related resources
ESET Research
Podcast
ESET APT Activity Report
Q4 2024–Q1 2025
ESET Threat Report
H2 2024
Explore our service
Actionable Threat Intelligence For Your SOC Teams
Enrich your cyber threat intelligence strategy (CTI) with actionable insights to fortify your organization's defense systems effectively.
Frequently asked questions
What can I learn from the ESET Threat Reports?
ESET Threat Reports provide a regular, in-depth overview of the global threat landscape and the main trends and developments shaping it. The statistics and trends presented in the report are based on ESET telemetry data, as interpreted by ESET threat detection and security research and awareness experts. As such, the reports provide unique insights to help defenders navigate the evolving and increasingly complex threat environment.
How often is ESET Threat Report published?
The ESET Threat Report is released twice yearly, with the H1 issue covering the period from December to May and the H2 issue covering the period from June to November.
What regions does the ESET Threat Report cover?
ESET Threat Report has a global scope – the core statistics and trends presented in the report are based on global telemetry data from ESET. However, regional developments may be covered in the report’s analyses to provide concrete examples of the discussed trends.
How does ESET collect the data presented in the reports?
The threat statistics presented in ESET Threat Reports are based on data collected by ESET’s own detection systems across its range of security products – endpoint, cloud and mobile – and their proprietary, layered technologies. Other sources used in the report’s analyses may include honeypots, external security feeds as well as data from other cybersecurity vendors.
What is unique about ESET Threat Reports when compared with other cyber security providers?
ESET Threat Reports offer in-depth analyses of latest threat landscape trends, enriched with comments and recommendations by ESET’s diverse team of cybersecurity specialists – many of which are frequent speakers at prestigious industry conferences like RSA, Black Hat and Virus Bulletin, and renowned for their expertise.
With ESET's R&D centers spanning Europe, Asia, and North America, ESET’s analysts provide around-the-clock global coverage, leveraging diverse time zones and locations to address the evolving threat landscape.
Additionally, the reports contain a regular Threat Telemetry section with comprehensive statistics across the monitored threat categories. This data is processed with the honest intention to mitigate bias, in an effort to maximize the value of the information provided. The charts come with calculated differences between the current and previous reporting periods to highlight trend changes.
What is the ESET APT Activity Report and how is it different from ESET Threat Report?
ESET APT Activity Reports provide an overview of activities of selected advanced persistent threat (APT) groups investigated and analyzed by ESET Research within the reporting period. APT groups are typically highly sophisticated threat actors, often backed by nation states, engaging in targeted cyberattacks and espionage. In contrast, the Threat Reports focus on widespread cyberthreats – so called crimeware – that typically aren’t targeted in nature and can thus affect anyone.