ESET Threat Report

H1 2026

A view of the 2026 H1 cyber threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.

Threat Landscape Trends

Agentic AI skills: Small tools, big attack surface

Between 03-05/2026, ESET analyzed 900,000 AI skills from popular repositories and found 25,000 suspicious and over 3,000 malicious. Findings included malicious skills using hacking tools such as Mimikatz and Impacket, suspicious self-modifying skills capable of creating persistence mechanisms and benign but ineffective “security” skills that can create a false sense of protection.

ClickFix evolves: AI-fix and CrashFix expand the playbook

ClickFix detections grew by 108% between H2 2025 and H1 2026, as attackers refined the technique across new environments. AI-fix shows how adversaries exploit trust in generative AI, CrashFix uses browser extensions and fake warnings, and ConsentFix combines ClickFix-style interaction with OAuth abuse to hijack cloud accounts without stealing credentials.

Stop before you scan: QR code phishing on the rise

H1 2026 saw record levels of QR code phishing, also known as quishing, as scammers exploited widespread QR code use. ESET telemetry averaged 100,000 detections per month, peaking in April. QR codes appeared in around 11% of detected phishing emails, with most detections in the US, Spain and Mexico.

Ransomware: Mapping the world of EDR killers

ESET Research mapped the EDR killer ecosystem, tracking over 100 tools used to kill, freeze or blind security software during a ransomware attack. Over 60 rely on the Bring Your Own Vulnerable Driver (BYOVD) technique to attack from the kernel. While ransomware attacks kept growing in H1 2026, paying victims dropped to 14–28%. A leak from The Gentlemen gang exposed their in-house EDR killer, GentleKiller.

PromptSpy: The first AI-powered Android malware

H1 2026 brought PromptSpy, the first Android malware observed actively using GenAI at runtime. It showed how GenAI can make malware more dynamic and adaptable across different environments. So far, ESET researchers have not seen other GenAI-powered Android malware, likely due to anti-abuse protections built into LLMs.

Be In The Know.

Read the ESET Threat Report.

Related resources

ESET Research
Podcast

ESET APT Activity Report
Q4 2025-Q1 2026

ESET Threat Report
H2 2025

Explore our service

Actionable Threat Intelligence For Your SOC Teams

Enrich your cyber threat intelligence strategy (CTI) with actionable insights to fortify your organization's defense systems effectively.

Frequently asked questions

What can I learn from the ESET Threat Reports?

ESET Threat Reports provide a regular, in-depth overview of the global threat landscape and the main trends and developments shaping it. The statistics and trends presented in the report are based on ESET telemetry data, as interpreted by ESET threat detection and security research and awareness experts. As such, the reports provide unique insights to help defenders navigate the evolving and increasingly complex threat environment.

How often is ESET Threat Report published?

The ESET Threat Report is released twice yearly, with the H1 issue covering the period from December to May and the H2 issue covering the period from June to November.

What regions does the ESET Threat Report cover?

ESET Threat Report has a global scope – the core statistics and trends presented in the report are based on global telemetry data from ESET. However, regional developments may be covered in the report’s analyses to provide concrete examples of the discussed trends.

How does ESET collect the data presented in the reports?

The threat statistics presented in ESET Threat Reports are based on data collected by ESET’s own detection systems across its range of security products – endpoint, cloud and mobile – and their proprietary, layered technologies. Other sources used in the report’s analyses may include honeypots, external security feeds as well as data from other cybersecurity vendors.

What is unique about ESET Threat Reports when compared with other cyber security providers?

ESET Threat Reports offer in-depth analyses of latest threat landscape trends, enriched with comments and recommendations by ESET’s diverse team of cybersecurity specialists – many of which are frequent speakers at prestigious industry conferences like RSA, Black Hat and Virus Bulletin, and renowned for their expertise.

With ESET's R&D centers spanning Europe, Asia, and North America, ESET’s analysts provide around-the-clock global coverage, leveraging diverse time zones and locations to address the evolving threat landscape.

Additionally, the reports contain a regular Threat Telemetry section with comprehensive statistics across the monitored threat categories. This data is processed with the honest intention to mitigate bias, in an effort to maximize the value of the information provided. The charts come with calculated differences between the current and previous reporting periods to highlight trend changes.

What is the ESET APT Activity Report and how is it different from ESET Threat Report?

ESET APT Activity Reports provide an overview of activities of selected advanced persistent threat (APT) groups investigated and analyzed by ESET Research within the reporting period. APT groups are typically highly sophisticated threat actors, often backed by nation states, engaging in targeted cyberattacks and espionage. In contrast, the Threat Reports focus on widespread cyberthreats – so called crimeware – that typically aren’t targeted in nature and can thus affect anyone.