ESET Threat Report
H1 2026
A view of the 2026 H1 cyber threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.

H1 2026
A view of the 2026 H1 cyber threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.

Between 03-05/2026, ESET analyzed 900,000 AI skills from popular repositories and found 25,000 suspicious and over 3,000 malicious. Findings included malicious skills using hacking tools such as Mimikatz and Impacket, suspicious self-modifying skills capable of creating persistence mechanisms and benign but ineffective “security” skills that can create a false sense of protection.


ClickFix detections grew by 108% between H2 2025 and H1 2026, as attackers refined the technique across new environments. AI-fix shows how adversaries exploit trust in generative AI, CrashFix uses browser extensions and fake warnings, and ConsentFix combines ClickFix-style interaction with OAuth abuse to hijack cloud accounts without stealing credentials.
H1 2026 saw record levels of QR code phishing, also known as quishing, as scammers exploited widespread QR code use. ESET telemetry averaged 100,000 detections per month, peaking in April. QR codes appeared in around 11% of detected phishing emails, with most detections in the US, Spain and Mexico.


ESET Research mapped the EDR killer ecosystem, tracking over 100 tools used to kill, freeze or blind security software during a ransomware attack. Over 60 rely on the Bring Your Own Vulnerable Driver (BYOVD) technique to attack from the kernel. While ransomware attacks kept growing in H1 2026, paying victims dropped to 14–28%. A leak from The Gentlemen gang exposed their in-house EDR killer, GentleKiller.
H1 2026 brought PromptSpy, the first Android malware observed actively using GenAI at runtime. It showed how GenAI can make malware more dynamic and adaptable across different environments. So far, ESET researchers have not seen other GenAI-powered Android malware, likely due to anti-abuse protections built into LLMs.

ESET Threat Reports provide a regular, in-depth overview of the global threat landscape and the main trends and developments shaping it. The statistics and trends presented in the report are based on ESET telemetry data, as interpreted by ESET threat detection and security research and awareness experts. As such, the reports provide unique insights to help defenders navigate the evolving and increasingly complex threat environment.
The ESET Threat Report is released twice yearly, with the H1 issue covering the period from December to May and the H2 issue covering the period from June to November.
ESET Threat Report has a global scope – the core statistics and trends presented in the report are based on global telemetry data from ESET. However, regional developments may be covered in the report’s analyses to provide concrete examples of the discussed trends.
The threat statistics presented in ESET Threat Reports are based on data collected by ESET’s own detection systems across its range of security products – endpoint, cloud and mobile – and their proprietary, layered technologies. Other sources used in the report’s analyses may include honeypots, external security feeds as well as data from other cybersecurity vendors.
ESET Threat Reports offer in-depth analyses of latest threat landscape trends, enriched with comments and recommendations by ESET’s diverse team of cybersecurity specialists – many of which are frequent speakers at prestigious industry conferences like RSA, Black Hat and Virus Bulletin, and renowned for their expertise.
With ESET's R&D centers spanning Europe, Asia, and North America, ESET’s analysts provide around-the-clock global coverage, leveraging diverse time zones and locations to address the evolving threat landscape.
Additionally, the reports contain a regular Threat Telemetry section with comprehensive statistics across the monitored threat categories. This data is processed with the honest intention to mitigate bias, in an effort to maximize the value of the information provided. The charts come with calculated differences between the current and previous reporting periods to highlight trend changes.
ESET APT Activity Reports provide an overview of activities of selected advanced persistent threat (APT) groups investigated and analyzed by ESET Research within the reporting period. APT groups are typically highly sophisticated threat actors, often backed by nation states, engaging in targeted cyberattacks and espionage. In contrast, the Threat Reports focus on widespread cyberthreats – so called crimeware – that typically aren’t targeted in nature and can thus affect anyone.